M2M Authentication

Enterprise Preview

M2M authentication is currently in enterprise preview. The protocol design is Optropic-internal and may become a future DIN SPEC submission.

Machine-to-machine (M2M) authentication enables automated device-to-API trust without human interaction. Devices register once, then authenticate via a cryptographic challenge-response protocol.

Protocol Flow

Device                          Optropic API
  │                                  │
  ├── Register Device ──────────────►│
  │◄── Device ID + Public Key ──────┤
  │                                  │
  ├── Initiate Challenge ──────────►│
  │◄── Challenge Nonce ─────────────┤
  │                                  │
  ├── Sign(nonce) ──────────────────►│
  │◄── Verified ✓ / Denied ✗ ──────┤

Usage

TypeScript

// Register a new device
const device = await client.m2m.registerDevice({
  deviceId: 'scanner-floor-3',
  publicKey: ed25519PublicKeyHex,
  label: 'Factory Floor Scanner #3',
});

// Initiate a challenge
const challenge = await client.m2m.initiateChallenge({
  deviceId: 'scanner-floor-3',
});

// Verify the signed response
const result = await client.m2m.verify({
  challengeId: challenge.id,
  signature: signedNonce, // device signs challenge.nonce
});

if (result.verified) {
  console.log('Device authenticated ✓');
}

Python

# Register a new device
device = client.m2m.register_device(
    device_id="scanner-floor-3",
    public_key=ed25519_public_key_hex,
    label="Factory Floor Scanner #3",
)

# Initiate a challenge
challenge = client.m2m.initiate_challenge(device_id="scanner-floor-3")

# Verify the signed response
result = client.m2m.verify(
    challenge_id=challenge["id"],
    signature=signed_nonce,  # device signs challenge["nonce"]
)

if result["verified"]:
    print("Device authenticated ✓")

Device Management

// List all registered devices
const devices = await client.m2m.listDevices();

// Get a specific device
const device = await client.m2m.getDevice('scanner-floor-3');

// Revoke a device
await client.m2m.revokeDevice('scanner-floor-3');

Standards Alignment

The M2M protocol is designed with reference to DIN SPEC 91406 (product identification) and EPCIS 2.0 event tracking. It uses Ed25519 signatures for authentication, consistent with the Optropic keyset infrastructure.