Register your CA certificate in AWS IoT Core with the 'aws iot register-ca-certificate' command; enable automatic registration and choose JITP mode.
Attach a provisioning template to the CA certificate (as a JSON string in --registration-config) that specifies the thing name pattern, policy ARN, and an optional IAM role for the provisioning service to assume.
Pre-install each device with a unique X.509 certificate signed by the registered CA and the CA's root certificate chain.
On first MQTT connect, AWS IoT Core detects the unregistered device certificate, triggers JITP, creates the thing and registers the certificate using the attached template — no Lambda function required.
The initial connection is rejected (the device must reconnect) after provisioning completes; design device firmware to automatically reconnect after a short delay.
For custom business logic (allow-list checks, database registration), use JITR instead: listen for registration lifecycle events on $aws/events/certificates/registered/CA_CERT_ID and route them to a Lambda via an IoT Rule.
Known gotchas
JITP silently rejects the first connection attempt to trigger provisioning; devices that do not retry the connection will never complete onboarding.
The IAM role attached to the CA certificate must allow iot:RegisterThing, iot:CreatePolicy, iot:AttachPolicy, and iot:AddThingToThingGroup as needed by the template.
Using JITR instead of JITP gives more control but requires maintaining a Rule and Lambda; prefer JITP for standard onboarding and JITR only when custom validation logic is mandatory.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp