Azure IoT Hub Token vs. Connection String RRS feed

  • Question

  • Hello everyone,

    i am trying to understand the difference between connection strings and tokens in the Azure IoT Hub.
    Connection Strings are responsible for authorization. This consists of the device and the shared access key.
    A token is for authentication.
    But how does this work together? If I can connect to a device via the connection string, I can receive any information, like what the device sends. Don't I need a secure authentication here as well? Doesn't it have to work together with the token?
    Can someone explain to me briefly and concisely the difference between when I use a connection string and when I use a token?

    Best Regards,


    Thursday, April 2, 2020 6:31 PM

All replies

  • Hello,

    Thank you for your question!

    Let me start by sharing three docs to help you understand it better:

    IoT Hub Security Tokens: IoT Hub uses security tokens to authenticate devices and services to avoid sending keys on the network. Additionally, security tokens are limited in time validity and scope. Azure IoT SDKs automatically generate tokens without requiring any special configuration.

    The connection strings you can get from the portal are in plain text and look like this:

    IotHub Level Connection String,:

    • HostName=youriothub.azure-devices.net;
    • SharedAccessKeyName= The policy name you defined with access options (for eg. iothubowner);
    • SharedAccessKey=Primary or Secondary Key of the policy

    Device Level Connection String:

    • HostName=youriothub.azure-devices.net;
    • DeviceId= yourdeviceId;
    • SharedAccessKey=Primary or Secondary Key of the device

    The Security Token has the following format (When using a device identity's symmetric key to generate a token, the policyName (skn) element of the token is omitted.):

    • SharedAccessSignature sig={signature-string}&se={expiry}&skn={policyName}&sr={URL-encoded-resourceURI}

    What you need to assure is that the SharedAccessKey is stored securely on your device or application used to manage the service. Those keys are used to generate the security Tokens, see code example below:

    using System;
    using System.Globalization;
    using System.Net;
    using System.Net.Http;
    using System.Security.Cryptography;
    using System.Text;
    public static string generateSasToken(string resourceUri, string key, string policyName, int expiryInSeconds = 3600)
        TimeSpan fromEpochStart = DateTime.UtcNow - new DateTime(1970, 1, 1);
        string expiry = Convert.ToString((int)fromEpochStart.TotalSeconds + expiryInSeconds);
        string stringToSign = WebUtility.UrlEncode(resourceUri) + "\n" + expiry;
        HMACSHA256 hmac = new HMACSHA256(Convert.FromBase64String(key));
        string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
        string token = String.Format(CultureInfo.InvariantCulture, "SharedAccessSignature sr={0}&sig={1}&se={2}", WebUtility.UrlEncode(resourceUri), WebUtility.UrlEncode(signature), expiry);
        if (!String.IsNullOrEmpty(policyName))
            token += "&skn=" + policyName;
        return token;

    And as stated above, if you are using the azure iot sdks , it automatically generate tokens without requiring any special configuration (this is you just need to provide the connection string that has all the info needed to generate the tokens).

    In case the information in this post is helpful , please feel free to mark this response as answer so that it can help others searching for similar questions.

    Thank you!

    Thursday, April 9, 2020 10:25 AM
  • Hello SebInCloud,

    Do you have further questions? If we answered your question, mark it as answer so that it can help others searching for similar questions.

    Thank you!

    Monday, April 20, 2020 6:26 AM