Skip to content
Stand with Ukraine flag
Star
 
Pricing Try it now

Device Provisioning

The IoT Gateway supports device provisioning, letting it automatically register itself on the ThingsBoard platform and obtain credentials on first startup — no manual per-device credential setup required.

How It Works

Section titled “How It Works”
Gateway provisioning flow: gateway starts, checks for stored credentials, then either connects with them or sends a provision request; the platform creates or reuses the device entity and returns credentials, which the gateway saves to its config directory before connecting. Gateway provisioning flow: gateway starts, checks for stored credentials, then either connects with them or sends a provision request; the platform creates or reuses the device entity and returns credentials, which the gateway saves to its config directory before connecting.

If credentials need to be rotated or the authentication type changed, you can remove the stored credentials and the gateway will re-provision on the next start.

Environment Variables

Section titled “Environment Variables”

Provisioning is configured via environment variables — typically set in docker-compose.yml or your system environment.

VariableRequiredDescription
TB_GW_PROVISIONING_DEVICE_KEYYesProvisioning device key (from the device profile)
TB_GW_PROVISIONING_DEVICE_SECRETYesProvisioning device secret (from the device profile)
TB_GW_PROVISIONING_DEVICE_NAMENoName assigned to the device in ThingsBoard. A random name is generated if not set
TB_GW_PROVISIONING_DEVICE_ACCESS_TOKENNoIf set, the platform assigns this token and uses Access Token authentication
TB_GW_PROVISIONING_DEVICE_USERNAMENoMQTT Basic authentication username
TB_GW_PROVISIONING_DEVICE_PASSWORDNoMQTT Basic authentication password
TB_GW_PROVISIONING_DEVICE_CLIENT_IDNoMQTT Basic authentication client ID
TB_GW_PROVISIONING_DEVICE_CA_CERT_FILENAMENoCA certificate filename in the config/ folder. If set, the gateway generates a client certificate and uses X.509 Certificate authentication

The credentials type is determined by which optional variables you provide:

Variables setCredentials type
ACCESS_TOKENAccess Token
USERNAME / PASSWORD / CLIENT_IDMQTT Basic
CA_CERT_FILENAMEX.509 Certificate
(none)Platform default

Resetting Provisioned Credentials

Section titled “Resetting Provisioned Credentials”

To force re-provisioning (e.g. to rotate credentials or switch authentication type), use the gateway_remove_provisioned_credentials service RPC method. The gateway deletes its stored credentials and re-provisions on the next restart.

Example: Setting Up Device Provisioning

Section titled “Example: Setting Up Device Provisioning”

  1. Create a Device Profile — go to Device profiles, click + and select Create new device profile.

    Device profiles page with the Create new device profile option

  2. Enter a profile name and open the Device provisioning tab.

    New device profile form with Device provisioning tab open

  3. Select Allow to create new devices, then copy and save the Provisioning device key and Provisioning device secret. Click Add.

    Device provisioning tab with Allow to create new devices selected and key/secret shown Device profile created successfully

  4. Download the Gateway docker-compose.yml and open it in a text editor.

    docker-compose.yml file opened in a text editor

  5. Set the provisioning environment variables, replacing the placeholders with your values:

    environment:
      - host=THINGSBOARD_HOST
      - port=THINGSBOARD_PORT
      - TB_GW_PROVISIONING_DEVICE_KEY=YOUR_PROVISION_KEY
      - TB_GW_PROVISIONING_DEVICE_SECRET=YOUR_PROVISION_SECRET
      - TB_GW_PROVISIONING_DEVICE_NAME=Factory-Gateway-01

    Replace THINGSBOARD_HOST and THINGSBOARD_PORT with the host and port of your ThingsBoard instance, and YOUR_PROVISION_KEY / YOUR_PROVISION_SECRET with the values from Step 3.

    docker-compose.yml with provisioning variables filled in

  6. Start the Gateway:

    Terminal window
    docker compose up
    Terminal showing docker compose up output with gateway starting

  7. The gateway auto-registers, receives credentials, and connects to the platform.

    Gateway logs showing successful provisioning and connection

  8. In the ThingsBoard UI, verify the gateway appears as active on the Gateways page or in the device details.

    ThingsBoard Gateways page showing the new gateway as active
© 2026 The ThingsBoard Authors