Create a provisioning template in AWS IoT Core that defines the thing name pattern, policy, and optional pre/post provisioning hooks (Lambda ARNs).
Generate a single claim certificate and key pair; embed them in the device firmware at manufacture time and attach a restrictive policy allowing only the Fleet Provisioning MQTT API topics.
On first boot the device connects with the claim certificate, subscribes to $aws/certificates/create/json/accepted and /rejected, then publishes an empty payload to $aws/certificates/create/json to request a unique certificate.
Using the new certificate token returned in the accepted message, publish to $aws/provisioning-templates/TEMPLATE_NAME/provision/json with a parameters object matching the template variables.
Subscribe to the /accepted and /rejected response topics before publishing each request so no responses are missed on the same connection.
Store the returned certificate, private key, and thing name on the device's secure element or flash, then reconnect using the permanent certificate and discard the claim credentials.
Known gotchas
Claim certificates must be registered in AWS IoT Core and their policy must be scoped only to the Fleet Provisioning API topics — over-permissive claim policies are a security risk.
A pre-provisioning Lambda hook can reject devices not in an allowed inventory list; returning a false allowProvisioning field blocks the request before any resources are created.
Each unique device certificate is created per provisioning call — calling the create-certificate topic multiple times per device wastes certificates and incurs additional cost.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp