Skip to main content

The OAuth 2.0 Bearer Token Usage over the Constrained Application Protocol (CoAP)

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
Expired & archived
Author Hannes Tschofenig
Last updated 2015-01-05 (Latest revision 2014-07-04)
Replaced by draft-ietf-ace-oauth-authz, draft-ietf-ace-oauth-authz, draft-ietf-ace-oauth-authz, RFC 9200
RFC stream (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This specification describes how to use OAuth 2.0 bearer tokens to access protected resources using the Constrained Application Protocol (CoAP). Any party in possession of a bearer token (a "bearer") can use it to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens need to be protected from disclosure in storage and in transport.


Hannes Tschofenig

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)