Getting 401 on REST call to IoTHub (on 'devicebound')

Question

Getting 401 on REST call to IoTHub (on 'devicebound')

Aurovind Sagar Epari 95

Hi Team,

I want to send C2D from a web page. I am able to make REST call to IoTHub on 'events' but not on 'devicebound'. I am getting unauthorized 401 when I post on 'devicebound'. On 'events', I get 204 as expected and I see my message on built-in endpoint.

Note: Just to be sure I have created SAS token with iothubowner policy. Am I missing anything? I believe the same SAS token should work for both, right? Maybe, there is gap in my understanding.

My REST code,

const response = await fetch(`https://myhub.azure-devices.net/devices/device_xyz/messages/devicebound?api-version=2020-03-13`, {
                    method: 'POST',
                    headers: {
                        'Content-Type': 'application/json',
                        'Authorization': sasToken
                    },
                    body: message
                });

Accepted answer

0 additional answers

Your answer

Answer 1

LeelaRajeshSayana-MSFT 17,776 Moderator

Hi @Aurovind Sagar Epari Greetings! Thank you for question here.

I would like to point out that the API end point has a GET method implementation and not POST. Please refer the documentation - Device - Receive Device Bound Notification for more information.

I believe the same SAS token should work for both, right?

To answer this question, I would like to make a note that each shared access policy comes with a different set of permissions to it. For more information on this, please find the below details which can be found from IoT hub-level shared access policies

User's image

Since the API reads cloud-to-device messages, Device shared access policy should work in trying to fetch the result. You wouldn't explicitly need iothubowner policy credentials.

May I also know the steps you have followed to create the SAA token? Please find the below code for reference that would help guide you in generating the token with the correct format.

var generateSasToken = function(resourceUri, signingKey, policyName, expiresInMins) {
    resourceUri = encodeURIComponent(resourceUri);

    // Set expiration in seconds
    var expires = (Date.now() / 1000) + expiresInMins * 60;
    expires = Math.ceil(expires);
    var toSign = resourceUri + '\n' + expires;

    // Use crypto
    var hmac = crypto.createHmac('sha256', Buffer.from(signingKey, 'base64'));
    hmac.update(toSign);
    var base64UriEncoded = encodeURIComponent(hmac.digest('base64'));

    // Construct authorization string
    var token = "SharedAccessSignature sr=" + resourceUri + "&sig="
    + base64UriEncoded + "&se=" + expires;
    if (policyName) token += "&skn="+policyName;
    return token;
};

Lastly, please ensure that you are calling this end point to an IoT Hub on Standard tier because this capability is only available in the standard tier IoT Hub.

Please let us know if you have any further questions or need additional information.

If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.

Aurovind Sagar Epari 95 Reputation points

2023-08-16T19:40:52.61+00:00
Hi @LeelaRajeshSayana-MSFT

I am trying to send C2D message from a browser client to the device and not looking for a notification. When I POST to ‘events’, the message is posted to IoTHub with 204 as expected code. But, I don’t receive the message in my device. To see what is happening, I monitored the built-in endpoint in VScode and I see the message there instead of receiving at the device. Wondering why the device is not receiving the message. Below is my POST js snippet.

const response = await fetch(`https://myhub.azure-devices.net/devices/device_xyz/messages/events?api-version=2020-03-13`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': sasToken }, body: message });

I thought I should try ‘devicebound’. Tried with above code by replacing 'events' with 'devicebound'. Maybe, that’s not correct as the response is 401.

Yeah aware of the policies. I used iothubowner just to get all the access. I know service access should be enough.

May I also know the steps you have followed to create the SAA token? Please find the below code for reference that would help guide you in generating the token with the correct format.

Yeah my code is same. And BTW the SAS token worked and I am able to send to 'events'. The issue is, the message is not received at device.

Is not it the right way of sending C2D message to a device using REST call? Please correct me.
Aurovind Sagar Epari 95 Reputation points

2023-08-17T07:59:40.3133333+00:00
Hi @LeelaRajeshSayana-MSFT
Another point, I would like to add is,
I am able to send C2D message from a node.js code using.

var Client = require('azure-iothub').Client; client.send(targetDevice, message, printResultFor('send'));

So I was expecting I should be able to send C2D message through REST call as well.
Aurovind Sagar Epari 95 Reputation points

2023-08-17T08:38:40.2633333+00:00

I tried with standard tier but it is the same issue still. Able to POST onto 'events' but that goes to built-in enedpoint. But not able to POST onto 'devicebound'.

Aurovind Sagar Epari 95

Just to be sure. Following is my SAS generation code. The primary key is of my device. And this works when I POST to 'events'.

const crypto = require('crypto');

const deviceId = 'xyz';
const primaryKey = '......';

const resourceUri = `myhub.azure-devices.net/devices/xyz`;
const expiresInMins = 60; // Token expiration time in minutes

const generateSasToken = () => {
    const expiry = Math.floor(Date.now() / 1000) + expiresInMins * 60;
    const toSign = `${encodeURIComponent(resourceUri)}\n${expiry}`;
    const signature = crypto.createHmac('sha256', Buffer.from(primaryKey, 'base64'))
        .update(toSign)
        .digest('base64');

    const sasToken = `SharedAccessSignature sr=${encodeURIComponent(resourceUri)}&sig=${encodeURIComponent(signature)}&se=${expiry}`;
    return sasToken;
};

const sasToken = generateSasToken();

console.log(sasToken);

Aurovind Sagar Epari 95 Reputation points

2023-08-17T09:26:18.3633333+00:00

Hi @LeelaRajeshSayana-MSFT
chatgpt says,

I apologize for the confusion. You're correct;sending messages to the devicebound endpoint for C2D messages is not supported. C2D messages are not sent directly to the devicebound endpoint. Instead, they are delivered to the devices using MQTT, AMQP, or HTTP, depending on the device's capabilities and configuration. If you want to send a C2D message to a device, you would typically use the Azure IoT Hub SDKs or protocols like MQTT, AMQP, or HTTP. Directly sending C2D messages to the devicebound endpoint using a REST API call is not the recommended approach and would not work as intended.

So I assume direct REST call is not supported, is it? The only way out is to use IoTHub service SDK?
LeelaRajeshSayana-MSFT 17,776 Reputation points Moderator

2023-08-17T19:15:20.98+00:00

Hi @Aurovind Sagar Epari thank you for sharing additional information. This clarifies what you are trying to achieve. Thank you for sharing these details. I have a couple of observations based on the details you shared.

Device - Send Device Event

The end point POST https://fully-qualified-iothubname.azure-devices.net/devices/{id}/messages/events?api-version=2020-03-13 is used to send device-to-cloud messages and not cloud-to-device. This is the reason why the messages send through this API end point end up in built-in end point, which receives telemetry, if the messages are not routed.

Your Shared access token structure seems correct and since it worked with sending the telemetry, we can rule out the possibility of access token issue.

The only way out is to use IoTHub service SDK

The link Cloud to Device Messages provides different end point implementations around the service Cloud to device messages. It has the below set of implementations but there is no explicit end point to send cloud to device messages.

Furthermore, referring to the original documentation on Send cloud-to-device messages from an IoT hub, there is a statement saying that You send cloud-to-device messages through a service-facing endpoint.

This may imply that the cloud to device communication has to be initiated through the service SDK or the Azure portal. I will test this further and see if I can figure out a way to achieve this through API request. Kindly note that I will be away for a few days and expect an update on this before the end of next week.

---If your question is answerd, I highly appreciate it if you can mark the posted Answer as Accept Answer and Yes so that other community members facing similar issue would get benefitted.
Aurovind Sagar Epari 95 Reputation points

2023-08-18T13:21:24.12+00:00

Hi @LeelaRajeshSayana-MSFT
You could skip trying it out. Thanks anyway :)
As I mentioned in my previous comment, I created a function app and I am able to make REST call now to the device via the function app.
Nolan Roberts 0 Reputation points

2025-07-04T20:25:51.1433333+00:00

@Aurovind Sagar Epari would you be able to provide an example of your Azure function to send Cloud-to-Device messages?

Share via

Getting 401 on REST call to IoTHub (on 'devicebound')

0 additional answers

Your answer