CoAP Protocol: Definition, Architecture 📌

Ivan Novikov
6 min readDec 20, 2021


Professionals involved in IoT network designing or development must have come across CoAP. A dedicatedly set standard by IETF, it works the best when it comes to constrained IoT-enabled solutions.

To make you understand CoAP ( Constrained Application Protocol) better, we have prepared this post, presenting a crisp CoAP definition, architecture, its role in API security, and other related topics.

A Quick Overview

CoAP a customary client-server IoT protocol. It enables clients to make requests for web transfers as per the need of the hour. On the other hand, it also let supporting servers to respond to arriving requests. In summary, devices’ nodes in the IoT ecosystem are enabled to interact over through CoAP only.

CoAP and HTTP follow the same working procedure. However, CoAP attains its functionality via asynchronous transactions (using UDP). It utilizes the POST, GET, PUT, and DELETE calls. That’s the reason why API security is of higher grade while CoAP is active as it is an RPK and PSK-certified protocol.

CoAP is compatible with 4 types of information exchange:

  1. Acknowledgments confirm the completion or failure of an event.
  2. Confirmable are the messages that are resent on time out until the confirmation of successful sending doesn’t arrive.
  3. Reset messages are empty, with confirmable as their nature.
  4. Non-confirmable information is just sent and has no guarantee of successful delivery. There is no acknowledgment of success either.

Key traits of CoAP are:

  • Works for devices in the same network types.
  • Enables data transmission, to and fro, for the general internet-enabled nodes and network-connected devices.
  • Works really fine for SMSs shared over mobile network connectivity.
  • Suitable for internet-operative applications that use connected devices/sensors and have resource limitations.
  • Capable of translating HTTP, supports multicast, and exerts the bare minimum cost burden.
  • Only helps machines to communicate (in the network).

CoAP Architecture

The WWW and the constraints ecosystem are the 2 foundational elements of the CoAP protocol architecture. Here, the server monitors and helps in communication happening using CoAP and HTTP while proxy devices bridge the existing gap for these 2 ecosystem, making the communication smoother.

CoAP allows HTTP clients (also called CoAP clients here) to talk or exchange data/information with each other within resource constraints.

While one tries to understand this architecture, gaining acquaintances with some key terms is crucial:

  • Endpoints are the nodes that host have knowledge of;
  • Client sends requests and replies to incoming requests;
  • Server gets and forwards requests. It also gets and forwards the messages received in response to the requests it had processed.
  • Sender creates and sends the original message.
  • Recipient gets the information sent by the client or forwarded by the server.

CoAP Function

The key role of CoAP is to act like HTTP wherever restricted devices are a part of communication. While filling the gap of HTTP, it enables devices like actuators and sensors to interact over the internet.

The devices, involved in the process, are administered and controlled by considering data as a system’s component. CoAP protocol can operate its functions in an environment having reduced bandwidth and extreme congestion as it consumes reduced power and network bandwidth.

Networks featuring intense congestion and constrained connectivity are not ideal conditions for TCP-based protocols to carry out their responsibilities. CoAP comes as a rescuer at this place and supports the wen transfers.

Web transfers happening using satellites and covering long distances can be accomplished with full perfection using CoAP. Networks featuring billions of nodes take the help of the CoAP protocol for information exchange.

Regardless of the function handled or role played, CoAP promised security of highest grade as DTLS parameters as default security parameter; the counterpart of 128 bit RSA keys.

Speaking of its deployment, it’s simple and hassle-free. It can be implemented from scratch for a straightforward application.

For the application ecosystem where CoAP is not desirable, generic implementations are offered for various platforms. Most of the CoAP implementations are done privately while few are published in open-source libraries like MIT license.

CoAP Features

The defining features that place CoAP protocol separate from other protocols are as stated next. As it shares great similarities with HTTP, developers face bare minimum difficulties while using it.

CoAP is an integration-friendly protocol and can be paired easily with applications using cross-protocol proxies. Seamlessly, it integrates with JSON, XML, CBOR, and various other data formats. In the process, the web client doesn’t get hints about a sensor resource being accessed.

Developers are endowed with various payloads and have the freedom to make a choice to bring the ideal payload into action.

The successful IoT device/application demands the usage of billions of nodes at a time. CoAP is designed to handle such huge mode amounts with full perfection while keeping the overheads under control. It can operate on tons of microcontrollers while using the least possible resources. RAM space as low as 10KiB and code space as 100 KiB is enough for CoAP.

As resources demanded by CoAP are on the minimum side, it keeps the wastes under control. There is no need to deploy a hefty transport stack for web transfers. The header and encoding, used for message processing, are compact and don’t cause any fragments on the link layer. At a time, it supports the functions of multiple servers.

CoAP offers a comprehensive resource directory to spot the properties of the node.

CoAP is verified by RFC 7252, is developed for the future, and is able to deal with congestion control issues.

CoAP Layer

The protocol works through its two layers:

  1. CoAP Messages Model

It makes UDP transactions possible at endpoints in the confirmable (CON) or non-confirmable (NON) format. Every CoAP message features a distinct ID to keep the possibilities of message duplications at bay.

The 3 key parts involved to build this layer are binary header, computer option, and payload.

As explained before, confirmable texts are reliable and easy-to-construct message that are fast and are resent until the receipt of a confirmation of successful delivery (ACK) with message ID.

2. CoAp Request/Response Model

This layer takes care of CON and NON message requests. Acceptance of these requests depend on server’s availability. Cases are:

  1. If idle, the server will handle the request right away. If a CON, the client will get an ACK for it. If the ACK is shared as a Token and differs from the ID, it is essential to map it properly by matching request-response pairs.
  2. If there is a delay or wait involved, the ACK is sent but as an empty text. When its turn arrives, the request is processed and the client gets a fresh CON.

The key traits of the Request/Response model are mentioned next:

  • Request or response codes for CoAP are same as for the HTTP, except for the fact that they are in the binary format (0–8 byte Tokens) in CoAP’s case.
  • Request methods for making calls (GET, PUT, POST, and DELETE) are declared in the process.
  • A CON response could either be stored in an ACK message or forward as CON/NON.


As there are great similarities, we won’t blame you if you consider these two identical. For instance, they both are used for IoT devices as they both necessitate less amounts of network packets causing more power-optimized performance, less storage consumption, and longer battery power.

CoAP and MQTT are distinct from each other on various fronts:

REST Protocol and CoAP

RESTful protocol refers to REpresentational State Transfer and is operational over HTTP. In its casel, every entity is treated as a resource and is accessible via the mutual interface. REST is hugely powered by web technology but is not solely dependent on HTTP

Suitable for IoT applications, CoAP is often called a lightweight RESTful dialect. It requires less CPU resources and bandwidth on the network if we compare. IoT device development is a hefty task if happens over HTTP as it involves billions of nodes. However, due to its nature, architecture and working, CoAP is capable of performing all of this.

Originally published at



Ivan Novikov

CEO at Wallarm. Application security platform to prevent threats and discover vulnerabilities in a real-time.