TagoTiP(s) - Encrypted Communication

AEAD authenticated encryption for your IoT data - without TLS. TagoTiP(s) wraps frames in a compact binary envelope with built-in integrity verification and replay protection. As little as 29 bytes of overhead.

When to use TagoTiP(s)​

• No TLS available - UDP has no TLS support; TagoTiP(s) is your only encryption option
• Constrained links - where TLS handshakes are too expensive
• Defense in depth - combine TagoTiP(s) with TLS on TCP port 5694 or HTTPS port 443 for layered security

TagoTiP(s) supported ports​

US-East-1:

See Endpoints for all regions.

How it differs from TagoTiP​

Credentials​

TagoTiP and TagoTiP(s) use different credentials from the same authorization:

Both come from a single authorization with token format TagoTiP(s). See the Authorization guide.

How it works​

TagoTiP(s) strips the method and auth from a TagoTiP frame, encrypts the rest, and wraps it in a fixed-structure binary envelope:

[Flags 1B] [Counter 4B] [Auth Hash 8B] [Device Hash 8B] [Ciphertext + Tag]
 cipher      nonce        profile         device           encrypted payload
 method      component    identifier      identifier
 version

Total overhead: 29 bytes (AES-128-CCM) to 37 bytes (GCM / ChaCha20-Poly1305).

Cipher suites​

AES-128-CCM (ID 0) is required by all implementations.

Key derivation​

The encryption key is derived from your authorization token and device serial:

HMAC-SHA256(key = token_hex_without_at_prefix, msg = device_serial)

Truncated to the cipher's key size (16 bytes for AES-128, 32 bytes for AES-256 / ChaCha20).

Size comparison​

Specification​

For envelope parsing, nonce construction, ABNF grammar, and test vectors, see the TagoTiP(s) Specification.