Password Authentication

This API allows password authentication of client and device. Note that instead of using this low-level API, it is recommended for applications to use the Nabto Edge IAM Module ( That module implements our recommended best practices where password based authentication is only used for bootstrapping (pairing), instead using public key authentication subsequently.

Password authentication is bidirectional and based on PAKE, such that both the client and the device learns that the other end knows the password, without revealing the password to the other end. Only one password authentication listener can exist on the system. The Nabto IAM module can be used to handle password authorization requests.

Internally, the Nabto device core supports PAKE through CoAP endpoints. Access to these endpoints are throttled if a client provides an invalid username/password to prevent brute force password cracks. Throttling is done using a token bucket of size 10 and rate 1. This allows 10 incorrect attempts without throttling, after which only 1 attempt pr. second is allowed. After 10 seconds of inactivity, the token bucket is fully replenished. Throttled requests are rejected with status code 429.


  1. Create a new listener. nabto_device_listener_new()
  2. Init the listener to listen for password_authentication_requests. nabto_device_password_authentication_request_init_listener()
  3. Listen for events on the listener. nabto_device_listener_new_password_authentication_request()
  4. Handle the password authentication request
    1. Get the username used for the request. nabto_device_password_authentication_request_get_username()
    2. Set a password to use with the username. nabto_device_password_authentication_request_set_password()
    3. Free the password authentication request. nabto_device_password_authentication_request_free()
  5. Later, use the state of the password exchange. nabto_device_connection_is_password_authenticated()