All Products
Search

This Product

    Marketplace:Device Connection Authentication

    Document Center

    Marketplace:Device Connection Authentication

    Last Updated:Mar 25, 2025

    Important

    DISCLAIMER

    Please note that all content presented on this page is provided by Tuya (HK) Limited. Alibaba Cloud makes no representations and warranties, explicit or implied, as to the authenticity or accuracy of any such content, nor makes any guarantee to the condition, quality, durability, performance, reliability, merchantability or fitness for a particular purpose, or non-infringement of any products and/or services made available by Tuya (HK) Limited. 

    MQTT-TLS is an MQTT connection based on the TLS protocol. Devices and IoT platform use the publish/subscribe MQTT mode to communicate. The TLS protocol can encrypt the communication process to ensure data security.

    Background Information

    When setting the MQTT CONNECT protocol, pay attention:

    • If the same device certificate (ProductKey, DeviceName, and DeviceSecret) or the same set of ProductKey, DeviceName, ClientID, and DeviceToken are used to connect multiple physical devices at the same time, the client may frequently go online or offline. Because when the new device is connected and authenticated, the original device will be forced to go offline, and when the device is offline, it will automatically try to reconnect.

    • In MQTT connection mode, the device side Device connection by using Link SDKit will automatically reconnect after disconnection. You can view the device behavior in Log Service.

    MQTT client direct connection

    Important The security risks of TCP access are very high. We strongly recommend that you use TLS.

    1. To ensure communication security, you need to use the TLS encryption connection method.

      To develop your own device, you need to use the root certificate to authenticate the IoT platform. There are currently two sets of root certificates:

      • Tuya IoT platform self-signed CA certificate, the CA root certificate is valid for a long time and is connected to the 8883 port.

      • GoGetSSL_RSA CA certificates, the CA root certificate is valid until September 05, 2028 (GMT), and the 443 port is connected. After the certificate expires, it can no longer be used to verify the server. Therefore, make sure that all devices that use TLS encryption have the ability to update the CA root certificate.

      • TCP connection without TLS encryption, using 1883 Port, which is insecure connection , the recommend is only used for testing and verification, not recommend the formal production environment.

    2. Use the MQTT client to connect to the server.

    Parameters

    description

    Access Domain Name

    On the console page menu 「 development Configuration 」 >>「 MQTT 」to view the access domain name of MQTT, see View and configure instance Endpoint information (Endpoint).

    Variable header: Keep Alive

    The CONNECT command must contain Keep Alive. The value range of the keep-alive heartbeat time is 30 seconds to 1200 seconds, and it is recommended that the value be more than 300 seconds. If the network is unstable, set the heartbeat time longer. If the heartbeat time is not within the keep-alive time, the IoT platform rejects the connection.

    CONNECT parameters of MQTT

    Pre-registration authentication method: Use device certificates (ProductKey, DeviceName, and DeviceSecret) to connect. 

    mqttClientId: clientId+"|securemode=3,signmethod=hmacsha1,timestamp=132323232|"
mqttUsername: deviceName+"&"+productKey
mqttPassword: sign_hmac(deviceSecret,content)

    • MqttClientId : in format | | inside is an extension parameter.

    • ClientId : indicates the client ID, which can be customized and cannot exceed 64 characters in length. We recommend that you use the MAC address or SN code of the device to identify and distinguish different clients.

    • Securemode : Indicates the current security mode. The available values are 2(TLS direct connection mode) and 3(TCP direct connection mode).

    • Signmethod indicates the signature algorithm type. Supports hmacmd5,hmacsha1, and hmacsha256.

    • Timestamp: Indicates the current time millisecond value, which may not be passed.

    • MqttPassword : sign signature needs to sort the parameters submitted to the server by dictionary and sign them according to signmethod. For an example of signature calculation, see Examples of creating signatures for MQTT connections.

    • Content the value of is the parameter submitted to the server ( productKey , deviceName , timestamp and clientId ), sort according to the first letter of the parameter name dictionary, and then concatenate the parameter values in turn.

    Important Here productKey and deviceName is a required parameter, timestamp and clientId is an optional parameter. If incoming timestamp orclientId , must be mqttClientId the settings in are the same.

    Example: Assumption clientId = 12345,deviceName = device, productKey = pk, timestamp = 789,signmethod=hmacsha1,deviceSecret=secret then the parameters submitted to MQTT using TCP are as follows: 

    mqttclientId=12345|securemode=3,signmethod=hmacsha1,timestamp=789|
mqttUsername=device&pk
mqttPassword=hmacsha1("secret","clientId12345deviceNamedeviceproductKeypktimestamp789").toHexString();

    The encrypted Password is a binary-to -16 string. The example result is: 

    FAFD82A3D602B37FB0FA8B7892F24A477F85****

    MQTT signature parameter calculation method, see how to calculate MQTT signature parameters.

    MQTT keep alive

    During the keep-alive interval, the device needs to send at least one packet, including a ping request. The connection keep-alive time ranges from 30 seconds to 1200 seconds. The recommended value is more than 300 seconds. The heartbeat timing starts when the CONNACK response CONNECT message is sent from the IoT platform. The timer is reset when a PUBLISH, SUBSCRIBE, PING, or PUBACK message is received. The IoT platform regularly detects the keep-alive heartbeat of the device every 30 seconds. The time between the online time point of the device and the latest timing detection time point is the waiting time for timing detection. Define the maximum timeout: keep-alive heartbeat time * 1.5 + waiting time for timing detection . The server automatically disconnects when the maximum timeout period is exceeded without receiving a device message.

    Use java language to calculate connection parameters and use paho to connect

    Click to download java language code sample

    1. The code shows three ways to connect to the platform, running the corresponding main method to connect and publish and subscribe.

      1. Use TCP to establish an unencrypted and insecure connection. See ConnectTuyaIotPlatformTcpDemo

      2. Use a standard certificate to establish a secure TLS connection. See ConnectTuyaIotPlatformStandardCertDemo

      3. Use the Tuya self-signed certificate to establish a secure TLS connection. See ConnectTuyaIotPlatformSelfSignCertDemo

    2. The code calculates the connection parameters. You need to replace the variables productKey, deviceName, deviceSecret, and endpoint in the code.