Internet Engineering Task Force (IETF) Z. Shelby
Request for Comments: 7252 ARM
Category: Standards Track K. Hartke
ISSN: 2070-1721 C. Bormann
Universitaet Bremen TZI
June 2014 The Constrained Application Protocol (CoAP)
The Constrained Application Protocol (CoAP) is a specialized web
transfer protocol for use with constrained nodes and constrained
(e.g., low-power, lossy) networks. The nodes often have 8-bit
microcontrollers with small amounts of ROM and RAM, while constrained
networks such as IPv6 over Low-Power Wireless Personal Area Networks
(6LoWPANs) often have high packet error rates and a typical
throughput of 10s of kbit/s. The protocol is designed for machine-
to-machine (M2M) applications such as smart energy and building
CoAP provides a request/response interaction model between
application endpoints, supports built-in discovery of services and
resources, and includes key concepts of the Web such as URIs and
Internet media types. CoAP is designed to easily interface with HTTP
for integration with the Web while meeting specialized requirements
such as multicast support, very low overhead, and simplicity for
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
The use of web services (web APIs) on the Internet has become
ubiquitous in most applications and depends on the fundamental
Representational State Transfer [REST] architecture of the Web.
The work on Constrained RESTful Environments (CoRE) aims at realizing
the REST architecture in a suitable form for the most constrained
nodes (e.g., 8-bit microcontrollers with limited RAM and ROM) and
networks (e.g., 6LoWPAN, [RFC4944]). Constrained networks such as
6LoWPAN support the fragmentation of IPv6 packets into small link-
layer frames; however, this causes significant reduction in packet
delivery probability. One design goal of CoAP has been to keep
message overhead small, thus limiting the need for fragmentation.
One of the main goals of CoAP is to design a generic web protocol for
the special requirements of this constrained environment, especially
considering energy, building automation, and other machine-to-machine
(M2M) applications. The goal of CoAP is not to blindly compress HTTP
[RFC2616], but rather to realize a subset of REST common with HTTP
but optimized for M2M applications. Although CoAP could be used for
refashioning simple HTTP interfaces into a more compact protocol,
more importantly it also offers features for M2M such as built-in
discovery, multicast support, and asynchronous message exchanges.
This document specifies the Constrained Application Protocol (CoAP),
which easily translates to HTTP for integration with the existing Web
while meeting specialized requirements such as multicast support,
very low overhead, and simplicity for constrained environments and
CoAP has the following main features:
o Web protocol fulfilling M2M requirements in constrained
o UDP [RFC0768] binding with optional reliability supporting unicast
and multicast requests.
o Asynchronous message exchanges.
o Low header overhead and parsing complexity.
o URI and Content-type support.
o Simple proxy and caching capabilities.
o A stateless HTTP mapping, allowing proxies to be built providing
access to CoAP resources via HTTP in a uniform way or for HTTP
simple interfaces to be realized alternatively over CoAP.
o Security binding to Datagram Transport Layer Security (DTLS)
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
[RFC2119] when they appear in ALL CAPS. These words may also appear
in this document in lowercase, absent their normative meanings.
This specification requires readers to be familiar with all the terms
and concepts that are discussed in [RFC2616], including "resource",
"representation", "cache", and "fresh". (Having been completed
before the updated set of HTTP RFCs, RFC 7230 to RFC 7235, became
available, this specification specifically references the predecessor
version -- RFC 2616.) In addition, this specification defines the
An entity participating in the CoAP protocol. Colloquially, an
endpoint lives on a "Node", although "Host" would be more
consistent with Internet standards usage, and is further
identified by transport-layer multiplexing information that can
include a UDP port number and a security association
The originating endpoint of a message. When the aspect of
identification of the specific sender is in focus, also "source
The destination endpoint of a message. When the aspect of
identification of the specific recipient is in focus, also
The originating endpoint of a request; the destination endpoint of
The destination endpoint of a request; the originating endpoint of
The server on which a given resource resides or is to be created.
A CoAP endpoint that acts both as a server and as a client towards
an origin server (possibly via further intermediaries). A common
form of an intermediary is a proxy; several classes of such
proxies are discussed in this specification.
An intermediary that mainly is concerned with forwarding requests
and relaying back responses, possibly performing caching,
namespace translation, or protocol translation in the process. As
opposed to intermediaries in the general sense, proxies generally
do not implement specific application semantics. Based on the
position in the overall structure of the request forwarding, there
are two common forms of proxy: forward-proxy and reverse-proxy.
In some cases, a single endpoint might act as an origin server,
forward-proxy, or reverse-proxy, switching behavior based on the
nature of each request.
An endpoint selected by a client, usually via local configuration
rules, to perform requests on behalf of the client, doing any
necessary translations. Some translations are minimal, such as
for proxy requests for "coap" URIs, whereas other requests might
require translation to and from entirely different application-
An endpoint that stands in for one or more other server(s) and
satisfies requests on behalf of these, doing any necessary
translations. Unlike a forward-proxy, the client may not be aware
that it is communicating with a reverse-proxy; a reverse-proxy
receives requests as if it were the origin server for the target
A proxy that maps from a CoAP request to a CoAP request, i.e.,
uses the CoAP protocol both on the server and the client side.
Contrast to cross-proxy.
A cross-protocol proxy, or "cross-proxy" for short, is a proxy
that translates between different protocols, such as a CoAP-to-
HTTP proxy or an HTTP-to-CoAP proxy. While this specification
makes very specific demands of CoAP-to-CoAP proxies, there is more
variation possible in cross-proxies.
Some messages require an acknowledgement. These messages are
called "Confirmable". When no packets are lost, each Confirmable
message elicits exactly one return message of type Acknowledgement
or type Reset.
Some other messages do not require an acknowledgement. This is
particularly true for messages that are repeated regularly for
application requirements, such as repeated readings from a sensor.
An Acknowledgement message acknowledges that a specific
Confirmable message arrived. By itself, an Acknowledgement
message does not indicate success or failure of any request
encapsulated in the Confirmable message, but the Acknowledgement
message may also carry a Piggybacked Response (see below).
A Reset message indicates that a specific message (Confirmable or
Non-confirmable) was received, but some context is missing to
properly process it. This condition is usually caused when the
receiving node has rebooted and has forgotten some state that
would be required to interpret the message. Provoking a Reset
message (e.g., by sending an Empty Confirmable message) is also
useful as an inexpensive check of the liveness of an endpoint
A piggybacked Response is included right in a CoAP Acknowledgement
(ACK) message that is sent to acknowledge receipt of the Request
for this Response (Section 5.2.1).
When a Confirmable message carrying a request is acknowledged with
an Empty message (e.g., because the server doesn't have the answer
right away), a Separate Response is sent in a separate message
exchange (Section 5.2.2).
A message with a Code of 0.00; neither a request nor a response.
An Empty message only contains the 4-byte header.
An option that would need to be understood by the endpoint
ultimately receiving the message in order to properly process the
message (Section 5.4.1). Note that the implementation of critical
options is, as the name "Option" implies, generally optional:
unsupported critical options lead to an error response or summary
rejection of the message.
An option that is intended to be ignored by an endpoint that does
not understand it. Processing the message even without
understanding the option is acceptable (Section 5.4.1).
An option that would need to be understood by a proxy receiving
the message in order to safely forward the message
(Section 5.4.2). Not every critical option is an unsafe option.
An option that is intended to be safe for forwarding by a proxy
that does not understand it. Forwarding the message even without
understanding the option is acceptable (Section 5.4.2).
The process where a CoAP client queries a server for its list of
hosted resources (i.e., links as defined in Section 7).
The combination of an Internet media type, potentially with
specific parameters given, and a content-coding (which is often
the identity content-coding), identified by a numeric identifier
defined by the "CoAP Content-Formats" registry. When the focus is
less on the numeric identifier than on the combination of these
characteristics of a resource representation, this is also called
Additional terminology for constrained nodes and constrained-node
networks can be found in [RFC7228].
In this specification, the term "byte" is used in its now customary
sense as a synonym for "octet".
All multi-byte integers in this protocol are interpreted in network
Where arithmetic is used, this specification uses the notation
familiar from the programming language C, except that the operator
"**" stands for exponentiation.
2. Constrained Application Protocol
The interaction model of CoAP is similar to the client/server model
of HTTP. However, machine-to-machine interactions typically result
in a CoAP implementation acting in both client and server roles. A
CoAP request is equivalent to that of HTTP and is sent by a client to
request an action (using a Method Code) on a resource (identified by
a URI) on a server. The server then sends a response with a Response
Code; this response may include a resource representation.
Unlike HTTP, CoAP deals with these interchanges asynchronously over a
datagram-oriented transport such as UDP. This is done logically
using a layer of messages that supports optional reliability (with
exponential back-off). CoAP defines four types of messages:
Confirmable, Non-confirmable, Acknowledgement, Reset. Method Codes
and Response Codes included in some of these messages make them carry
requests or responses. The basic exchanges of the four types of
messages are somewhat orthogonal to the request/response
interactions; requests can be carried in Confirmable and Non-
confirmable messages, and responses can be carried in these as well
as piggybacked in Acknowledgement messages.
One could think of CoAP logically as using a two-layer approach, a
CoAP messaging layer used to deal with UDP and the asynchronous
nature of the interactions, and the request/response interactions
using Method and Response Codes (see Figure 1). CoAP is however a
single protocol, with messaging and request/response as just features
of the CoAP header.
| Application |
| Requests/Responses | |
|----------------------| | CoAP
| Messages | |
| UDP |
Figure 1: Abstract Layering of CoAP
2.1. Messaging Model
The CoAP messaging model is based on the exchange of messages over
UDP between endpoints.
CoAP uses a short fixed-length binary header (4 bytes) that may be
followed by compact binary options and a payload. This message
format is shared by requests and responses. The CoAP message format
is specified in Section 3. Each message contains a Message ID used
to detect duplicates and for optional reliability. (The Message ID
is compact; its 16-bit size enables up to about 250 messages per
second from one endpoint to another with default protocol
Reliability is provided by marking a message as Confirmable (CON). A
Confirmable message is retransmitted using a default timeout and
exponential back-off between retransmissions, until the recipient
sends an Acknowledgement message (ACK) with the same Message ID (in
this example, 0x7d34) from the corresponding endpoint; see Figure 2.
When a recipient is not at all able to process a Confirmable message
(i.e., not even able to provide a suitable error response), it
replies with a Reset message (RST) instead of an Acknowledgement
| CON [0x7d34] |
| ACK [0x7d34] |
Figure 2: Reliable Message Transmission
A message that does not require reliable transmission (for example,
each single measurement out of a stream of sensor data) can be sent
as a Non-confirmable message (NON). These are not acknowledged, but
still have a Message ID for duplicate detection (in this example,
0x01a0); see Figure 3. When a recipient is not able to process a
Non-confirmable message, it may reply with a Reset message (RST).
| NON [0x01a0] |
Figure 3: Unreliable Message Transmission
See Section 4 for details of CoAP messages.
As CoAP runs over UDP, it also supports the use of multicast IP
destination addresses, enabling multicast CoAP requests. Section 8
discusses the proper use of CoAP messages with multicast addresses
and precautions for avoiding response congestion.
Several security modes are defined for CoAP in Section 9 ranging from
no security to certificate-based security. This document specifies a
binding to DTLS for securing the protocol; the use of IPsec with CoAP
is discussed in [IPsec-CoAP].
2.2. Request/Response Model
CoAP request and response semantics are carried in CoAP messages,
which include either a Method Code or Response Code, respectively.
Optional (or default) request and response information, such as the
URI and payload media type are carried as CoAP options. A Token is
used to match responses to requests independently from the underlying
messages (Section 5.3). (Note that the Token is a concept separate
from the Message ID.)
A request is carried in a Confirmable (CON) or Non-confirmable (NON)
message, and, if immediately available, the response to a request
carried in a Confirmable message is carried in the resulting
Acknowledgement (ACK) message. This is called a piggybacked
response, detailed in Section 5.2.1. (There is no need for
separately acknowledging a piggybacked response, as the client will
retransmit the request if the Acknowledgement message carrying the
piggybacked response is lost.) Two examples for a basic GET request
with piggybacked response are shown in Figure 4, one successful, one
resulting in a 4.04 (Not Found) response.
Client Server Client Server
| | | |
| CON [0xbc90] | | CON [0xbc91] |
| GET /temperature | | GET /temperature |
| (Token 0x71) | | (Token 0x72) |
| | | |
| ACK [0xbc90] | | ACK [0xbc91] |
| 2.05 Content | | 4.04 Not Found |
| (Token 0x71) | | (Token 0x72) |
| "22.5 C" | | "Not found" |
| | | |
Figure 4: Two GET Requests with Piggybacked Responses
If the server is not able to respond immediately to a request carried
in a Confirmable message, it simply responds with an Empty
Acknowledgement message so that the client can stop retransmitting
the request. When the response is ready, the server sends it in a
new Confirmable message (which then in turn needs to be acknowledged
by the client). This is called a "separate response", as illustrated
in Figure 5 and described in more detail in Section 5.2.2.
| CON [0x7a10] |
| GET /temperature |
| (Token 0x73) |
| ACK [0x7a10] |
... Time Passes ...
| CON [0x23bb] |
| 2.05 Content |
| (Token 0x73) |
| "22.5 C" |
| ACK [0x23bb] |
Figure 5: A GET Request with a Separate Response
If a request is sent in a Non-confirmable message, then the response
is sent using a new Non-confirmable message, although the server may
instead send a Confirmable message. This type of exchange is
illustrated in Figure 6.
| NON [0x7a11] |
| GET /temperature |
| (Token 0x74) |
| NON [0x23bc] |
| 2.05 Content |
| (Token 0x74) |
| "22.5 C" |
Figure 6: A Request and a Response Carried in Non-confirmable
CoAP makes use of GET, PUT, POST, and DELETE methods in a similar
manner to HTTP, with the semantics specified in Section 5.8. (Note
that the detailed semantics of CoAP methods are "almost, but not
entirely unlike" [HHGTTG] those of HTTP methods: intuition taken from
HTTP experience generally does apply well, but there are enough
differences that make it worthwhile to actually read the present
Methods beyond the basic four can be added to CoAP in separate
specifications. New methods do not necessarily have to use requests
and responses in pairs. Even for existing methods, a single request
may yield multiple responses, e.g., for a multicast request
(Section 8) or with the Observe option [OBSERVE].
URI support in a server is simplified as the client already parses
the URI and splits it into host, port, path, and query components,
making use of default values for efficiency. Response Codes relate
to a small subset of HTTP status codes with a few CoAP-specific codes
added, as defined in Section 5.9.
2.3. Intermediaries and Caching
The protocol supports the caching of responses in order to
efficiently fulfill requests. Simple caching is enabled using
freshness and validity information carried with CoAP responses. A
cache could be located in an endpoint or an intermediary. Caching
functionality is specified in Section 5.6.
Proxying is useful in constrained networks for several reasons,
including to limit network traffic, to improve performance, to access
resources of sleeping devices, and for security reasons. The
proxying of requests on behalf of another CoAP endpoint is supported
in the protocol. When using a proxy, the URI of the resource to
request is included in the request, while the destination IP address
is set to the address of the proxy. See Section 5.7 for more
information on proxy functionality.
As CoAP was designed according to the REST architecture [REST], and
thus exhibits functionality similar to that of the HTTP protocol, it
is quite straightforward to map from CoAP to HTTP and from HTTP to
CoAP. Such a mapping may be used to realize an HTTP REST interface
using CoAP or to convert between HTTP and CoAP. This conversion can
be carried out by a cross-protocol proxy ("cross-proxy"), which
converts the Method or Response Code, media type, and options to the
corresponding HTTP feature. Section 10 provides more detail about
2.4. Resource Discovery
Resource discovery is important for machine-to-machine interactions
and is supported using the CoRE Link Format [RFC6690] as discussed in