How Do You Provision Wi-Fi Credentials on an Embedded IoT Device?
Last updated 1 July 2026 · 10 min read
Direct Answer
Wi-Fi provisioning is the process of securely transferring the network SSID and password to an IoT device at first setup — without hardcoding credentials in firmware. The four main approaches are: SoftAP (the device creates a temporary Wi-Fi access point; the user connects to it and submits credentials via a captive portal), BLE-assisted provisioning (credentials are sent over a BLE connection from a mobile app), SmartConfig/ESP-TOUCH (the device sniffs encoded credentials broadcast by the phone over an existing Wi-Fi link), and Matter commissioning (the emerging standard for smart home devices that uses a BLE channel for initial setup and supports Thread, Wi-Fi, and Ethernet as the final transport). SoftAP is the most universally supported and best understood by users; BLE-assisted provisioning gives the best user experience when a companion mobile app already exists.
Detailed Explanation
Wi-Fi provisioning is one of the first user-facing interactions with an IoT product — and one of the most common sources of negative reviews if it is unreliable, slow, or confusing. A product that cannot easily join the user's network is perceived as broken, regardless of how well the rest of the firmware works. Choosing the right provisioning approach depends on the product's hardware (BLE radio availability), whether a companion mobile app exists, and the target user's technical sophistication.
Why Credentials Cannot Be Hardcoded
Hardcoding Wi-Fi credentials in firmware creates three problems:
- The product only works on one network — it cannot be deployed to a different household or site without a firmware reflash
- Credentials are recoverable from the firmware binary — strings are trivially extracted from flat binaries with
stringsor a hex editor - Factory-default or demo credentials shipped to end users — a common cause of data breaches where all units share a known password
Provisioning at first setup solves all three problems: each unit learns its own network credentials, credentials are not in the firmware image, and the user explicitly consents to network access.
SoftAP Provisioning
The device boots into access point mode, creating a Wi-Fi network (typically named something like Device-Setup-XXXX). The user connects their phone to this temporary network, opens a captive portal in a browser (typically http://192.168.4.1), and submits their home Wi-Fi SSID and password via an HTML form. The device stores the credentials, disconnects the SoftAP, and connects to the home network. The phone reconnects to its normal network automatically.
Advantages:
- Works without a mobile app — any device with a browser is sufficient
- No additional radio hardware required beyond Wi-Fi
- Familiar to users who have set up home routers
Disadvantages:
- The user must manually switch their phone's Wi-Fi network (to the device's AP), submit credentials, and switch back — three steps that confuse non-technical users
- No confirmation of success visible to the user (phone switched away before device confirmed connection)
- Captive portal detection on modern iOS and Android sometimes opens a special captive portal browser rather than the user's default browser
ESP32 SoftAP provisioning with Wi-Fi Manager (ESP-IDF):
wifi_prov_mgr_config_t config = {
.scheme = wifi_prov_scheme_softap,
.scheme_event_handler = WIFI_PROV_EVENT_HANDLER_NONE,
};
wifi_prov_mgr_init(config);
bool provisioned = false;
wifi_prov_mgr_is_provisioned(&provisioned);
if (!provisioned) {
/* Start SoftAP provisioning — service_name is the AP SSID */
wifi_prov_mgr_start_provisioning(WIFI_PROV_SECURITY_1, pop, service_name, NULL);
} else {
wifi_prov_mgr_deinit();
/* Connect with stored credentials */
}
WIFI_PROV_SECURITY_1 enables SRP-based challenge-response authentication of the provisioning endpoint — use this to prevent unauthorised devices from submitting credentials to the AP.
BLE-Assisted Provisioning
The device advertises over BLE while in the unprovisioned state. The companion mobile app (iOS or Android) scans for the device, connects, and transfers the Wi-Fi SSID and password over a GATT service. The device acknowledges receipt, attempts the Wi-Fi connection, and sends the result (success or failure with reason code) back over BLE before the connection closes.
Advantages:
- Seamless user experience: the user never switches Wi-Fi networks — provisioning happens through the app while the phone stays on its normal Wi-Fi
- Real-time success confirmation: the app receives confirmation that the device joined the target network
- Works on iOS without the need for the user to navigate Wi-Fi settings
Disadvantages:
- Requires a companion mobile app with BLE support
- ESP32 and other dual-radio SoCs must manage BLE and Wi-Fi simultaneously during the provisioning transition — this requires handling the co-existence window during the final Wi-Fi join
- Slightly more complex firmware implementation
ESP32 BLE provisioning (ESP-IDF Wi-Fi Provisioning Manager):
wifi_prov_mgr_config_t config = {
.scheme = wifi_prov_scheme_ble,
.scheme_event_handler = WIFI_PROV_SCHEME_BLE_EVENT_HANDLER_FREE_BTDM,
};
wifi_prov_mgr_init(config);
/* The manager handles GATT service definition and BLE advertising */
wifi_prov_mgr_start_provisioning(
WIFI_PROV_SECURITY_1,
pop, /* Proof of possession — device-specific string */
service_name, /* BLE device name shown in mobile app scan */
NULL
);
The pop (proof of possession) is a device-specific token that the mobile app must supply to authenticate the provisioning session. Derive it from a device serial number, hardware ID, or a random value printed on a QR code label — this prevents a rogue app from provisioning the device to an attacker's network.
nRF Wi-Fi provisioning (Zephyr NCS): Nordic's nRF9160 and nRF7002 support a Zephyr-based Wi-Fi provisioning library that implements a similar BLE-assisted flow using a standardised GATT service, compatible with the nRF Connect for Mobile app.
SmartConfig / ESP-TOUCH
The device enters promiscuous mode on the Wi-Fi radio and monitors all 802.11 frames on each channel. A companion app on the phone — which is already connected to the target Wi-Fi network — sends UDP broadcast packets to a multicast address, encoding the SSID and password in the sequence of packet lengths. The unprovisioned device decodes the length pattern and extracts the credentials.
/* ESP32 SmartConfig — simplified */
esp_smartconfig_start(SC_TYPE_ESPTOUCH);
/* SC_EVENT_GOT_SSID_PSWD event delivers the credentials: */
void sc_event_handler(void* arg, esp_event_base_t event_base,
int32_t event_id, void* event_data)
{
if (event_id == SC_EVENT_GOT_SSID_PSWD) {
smartconfig_event_got_ssid_pswd_t *evt = event_data;
/* evt->ssid and evt->password contain the decoded credentials */
esp_wifi_set_config(WIFI_IF_STA, &wifi_config);
esp_wifi_connect();
}
}
SmartConfig requires both the phone and target network to be on 2.4 GHz. It does not work reliably on 5 GHz-only networks or in environments with dense Wi-Fi traffic. Use it as a backup method alongside SoftAP or BLE-assisted provisioning, not as the sole option.
Matter Commissioning
Matter is the application-layer standard for smart home devices, jointly developed by Apple, Google, Amazon, and others through the Connectivity Standards Alliance (CSA). The Matter commissioning flow uses BLE for initial device discovery and credential transfer, regardless of the device's final transport (Wi-Fi, Thread, or Ethernet).
Matter commissioning sequence (simplified):
- Unprovisioned device advertises over BLE with a Matter-specific UUID
- The Matter commissioner (phone, smart home hub, or voice assistant device) scans, connects, and performs PASE (Password Authenticated Session Establishment) using a device-specific PIN printed on the product
- The commissioner transfers the Wi-Fi credentials (or Thread dataset) over the authenticated BLE session
- The device joins the target network; the commissioner establishes a CASE (Certificate Authenticated Session Establishment) session over the final transport
- The device is now part of the Matter fabric and can receive commands from any authorised Matter controller
Matter is the appropriate choice for products intended for the Apple HomeKit, Google Home, Amazon Alexa, or Samsung SmartThings ecosystems. It adds implementation complexity — the Matter SDK is substantial — but provides cross-platform interoperability without per-platform app development.
Credential Storage
Regardless of provisioning method, credentials must be stored in non-volatile memory:
- ESP32 (ESP-IDF): the Wi-Fi stack stores credentials automatically in the NVS partition after
esp_wifi_set_config(). Enable NVS encryption (NVS_ENCRYPTION=yand a device-specific key burned to eFuse) for products with security requirements. - nRF7002 / nRF9160 (Zephyr NCS): credentials are stored via the Settings subsystem. Enable encrypted flash (
CONFIG_TRUSTED_EXECUTION_SECURE=yor FOTA-based key provisioning) for secure credential storage. - Factory reset: always provide a mechanism to erase stored credentials (long button press, specific firmware reset command) that clears both the provisioning state and the NVS/Settings partition. A factory reset that only clears application state but leaves credentials creates a privacy problem when the device is sold or repurposed.
Design Considerations
- Provide a QR code or NFC tag for Matter products: Matter's PASE authentication requires a device-specific PIN or QR code. Print the QR code on the product label or packaging — users scan it with their phone's camera to begin commissioning. A QR code that is missing, damaged, or covers the PIN entry entirely blocks the provisioning flow.
- Timeout the provisioning mode: do not leave the device in SoftAP or BLE advertising mode indefinitely. After a provisioning timeout (typically 3–5 minutes), the device should return to normal operation or reset — an unprovisioned device in SoftAP mode consumes significantly more power than a connected device in normal operation.
- Derive the proof-of-possession token per device: a shared proof-of-possession string (same for all units) provides no security benefit. Generate per-device tokens during manufacturing from the device serial number or a factory-injected random seed, and print them on the device or its packaging.
- Test provisioning on the iOS and Android versions you actually ship to: iOS handles captive portal detection differently from Android, and the BLE connection behaviour during Wi-Fi joining differs across Android OEM variants. Build the provisioning test matrix into the firmware qualification plan.
- Handle re-provisioning gracefully: a device already provisioned to network A needs a path to switch to network B (user moves house, network password changes). A single factory-reset button held for 5 seconds is the simplest approach; alternatively, implement a re-provisioning command accessible through the normal connected state.
- Zeus Design develops companion iOS and Android apps with BLE-assisted and SoftAP provisioning flows, including QR code scanning, real-time provisioning status, and factory reset management for IoT products.
Common Mistakes
- No re-provisioning path: designing a product with no way to change the stored Wi-Fi credentials after initial setup forces users to factory-reset the device and re-configure everything when their router or password changes. A dedicated re-provisioning flow or a factory reset accessible without disassembly is a minimum requirement.
- Fixed proof-of-possession token across all units: a proof-of-possession string identical on every unit provides no protection against rogue provisioning from a malicious app. Use per-device tokens derived from serial numbers or factory-injected secrets.
- Starting provisioning mode after every boot until confirmed: the device should remember whether it has been successfully provisioned. A device that enters SoftAP mode on every boot until a "provisioned" flag is set will confuse users who power-cycle the device unexpectedly.
- Not verifying the Wi-Fi connection succeeds before closing BLE: in BLE-assisted provisioning, the BLE connection should remain open until the device confirms it joined the target network (or failed with an error code). Closing BLE as soon as credentials are received, before testing the connection, leaves the user with no feedback if credentials were wrong.
- Storing the SSID and password in plain-text firmware flash without NVS encryption: the Wi-Fi password is recoverable with a JTAG debug probe if stored in unencrypted NVS. For consumer products, enable NVS encryption tied to device-unique keys to prevent credential harvesting from returned or stolen units.
- Ignoring provisioning in the power budget: during SoftAP provisioning, the ESP32 runs both a Wi-Fi AP and a web server simultaneously. This uses significantly more power than normal connected operation. If the product is battery-powered, time-limit the provisioning mode and warn the user via an LED if battery is low.
Frequently Asked Questions
- Should I use SoftAP or BLE-assisted provisioning for my product?
- SoftAP works on any device with a Wi-Fi radio and requires no companion mobile app — users connect using the native Wi-Fi settings on their phone and open a captive portal URL (or are redirected automatically). This makes SoftAP suitable for devices without a dedicated app, or as a fallback for devices that also support BLE. BLE-assisted provisioning offers a significantly better user experience when a companion iOS or Android app exists: the app scans for unprovisioned devices, connects over BLE, transfers credentials, and confirms connectivity — all without the user manually switching Wi-Fi networks. For products with a companion app, BLE-assisted is almost always the right choice. For developer tools, industrial panels, or devices without a companion app requirement, SoftAP is simpler to deploy.
- How does SmartConfig work and what are its limitations?
- SmartConfig (also called ESP-TOUCH on ESP32, or similar protocols on other platforms) exploits the fact that an unprovisioned device connected to Wi-Fi channel in promiscuous mode can see packet lengths of encrypted 802.11 frames even without knowing the encryption key. The phone encodes the SSID and password in the packet length sequence of UDP broadcast frames. The unprovisioned device, scanning all channels, decodes the SSID/password from the length pattern. SmartConfig eliminates the need for the device to create its own network or for the user to change their phone's Wi-Fi connection. The limitations are: it requires the phone and the device to be on the same Wi-Fi 2.4 GHz network channel; it does not work reliably on 5 GHz networks; it fails in environments with heavy Wi-Fi traffic that disrupts the length sequence; and it is not universally supported across all Wi-Fi chipsets. It works best as a backup provisioning method rather than the primary path.
- How should Wi-Fi credentials be stored on an embedded device?
- Wi-Fi credentials (SSID and password) must be stored in non-volatile memory — typically flash — and must be protected from extraction via debug interfaces. On ESP32, the recommended approach is the NVS (Non-Volatile Storage) partition, which stores key-value pairs in flash with optional encryption via NVS encryption keys derived from the device's eFuse-burned key. On nRF devices using Zephyr, credentials are stored via the Settings subsystem or the nRF Wi-Fi Provisioning library in a designated flash partition. Avoid storing credentials in plain-text global variables or in MCU SRAM — this data is lost on power cycle and is readable through JTAG/SWD debug probes. For products with higher security requirements, use the platform's secure element or encrypted flash partition to prevent credential extraction from stolen devices.
References
Related Questions
What Is Wi-Fi?
Wi-Fi (IEEE 802.11) provides wireless internet at 2.4 GHz and 5 GHz. Learn how standards, security (WPA2/WPA3), and power modes affect embedded IoT designs.
What Is Bluetooth Low Energy (BLE)?
Bluetooth Low Energy (BLE) is a 2.4 GHz protocol for low-power sensor-to-phone communication. Learn how advertising, GATT, and connection parameters work.
How Do BLE Connection Parameters Affect Power Consumption?
Tune BLE connection interval, slave latency, and supervision timeout for battery-powered peripherals. Covers trade-offs, negotiation, and platform examples.
How Do Wi-Fi and BLE Coexist in the 2.4 GHz Band?
Design dual-radio products with both Wi-Fi and BLE in the 2.4 GHz band. Covers TDM arbitration, PTA, frequency planning, and coexistence on ESP32 and nRF.
How Do You Set Up Wi-Fi and Provision an ESP32 Device?
Covers ESP32 Wi-Fi station and AP mode in ESP-IDF, event-loop connection handling, SoftAP provisioning, and the ESP32 HTTP server for local API endpoints.
How Does an OTA Firmware Update Work?
OTA firmware updates require dual-bank flash, image verification, and rollback. Covers MCUboot swap, ESP32 OTA API, image signing, and power-loss-safe design.
Related Forum Discussions
ESP32 IoT device stops sending data after 6–8 hours but shows as connected on the AP — DHCP lease expired?
Deployed an ESP32-S3 sensor node at a customer's warehouse last week. It reads temperature and humidity every 5 minutes and POSTs the data t
BLE GATT notifications working on first connect but stop after phone reconnects — what resets the CCCD?
Working on a BLE peripheral on nRF52840 with Zephyr (NCS 2.7). Custom GATT service with a single notify characteristic that sends sensor rea