LoRa Basics Modem and LoRa Edge documentation

Scenario - LoRa Cloud™ Join Server


Prior to sending data, devices designed to operate on a LoRaWAN® network must join such a network. The recommended method for joining a device to a LoRaWAN network is to use the LoRa Cloud™ Join Server. This service is based on the LoRaWAN specification and is used to exchange encrypted information required for providing network session data to the device. It is also required for providing a nonce, which is necessary to symmetrically derive session keys (AppSKey and NwkSKey). The LoRa Cloud Join Server uses a secure external join server that never exposes device keys.

Once a device has been claimed using the LoRa Cloud Join Server, it can use the service to provide the join response in coordination with a LoRaWAN network server. There is a sequence of steps (covered in Claiming a Device) that must be performed prior to using this service.


Device owners should understand that they won’t ever see the root keys for the device when using the Join Server. Rather, the root keys are embedded in the HSM. (The join server doesn’t even see them.)


LoRa Basics™ Modem(s)

LoRa Edge™ LR1110 transceiver



  • The end device must be set up and properly initialized (PA, regulator modes, etc.).

  • The end device must be claimed.

  • The end device must be within range of at least one LoRaWAN network that is connected to the LoRa Cloud Join Server.

  • The Region and Device Class must be set up properly.

Prerequisites for LoRa Basics™ Modem:

  • No additional requirements

Prerequisites for LoRa Basics™ Modem-E:

  • No additional requirements

Prerequisites Specific to to Transceivers:

  • Transceivers must have a LoRaWAN stack to communicate with the network server.

Step-by-Step Procedure

  1. The application commands a join request.

  2. The stack then starts trying to join by sending one or more join requests (in case one fails).

  3. The join request is received by one or more network servers 1.

  4. The network server uses the JoinEUI from the join request and forwards it to the LoRa Cloud Join Server.

  5. If more than one join request is routed to the join server, the first one declared in the list of registered network servers is used for the rest of the steps (not depicted).

  6. If accepted by the LoRa Cloud Join Server, the NwkSKey is returned to that network server, along with the join response (which includes the AppNonce, used by the device to derive its session keys).

  7. If wrapping is enabled for the AppSKey, the wrapped AppSKey 2 is also returned.

  8. The network server sends the join response, encrypted with the AppSKey, to the end-device.

  9. The network server sends the AppSKey (or the wrapped AppSKey 2) to the application server as part of the data message (not pictured).

  10. Upon receiving the JoinAccept message, the end device can start sending encrypted payloads. Once the first uplink message (encrypted with the new session keys) is verified by the network server, the application can be notified of the completed join sequence.

@startuml  device_join_modem-ebox Device #LightBlue    participant "End Device Application" as App #LightBlue    participant "<color #000000>LR111x</color>" as LoRa  #00ADEF end box box LoRaWAN® #AAAAAA    participant "Gateway" as GW  #LightGray    participant "Network Server" as NS  #LightGrayend boxbox LoRa Cloud™ Services #00ADEF     participant "<color #000000>Join Server</color>" as JS #00ADEFend boxlegend left|=             |= Owner || <#00ADEF>    | Semtech || <#ADD8E6>    | Customer || <#D3D3D3>    | Ecosystem |endlegend== Device Join == App -> LoRa : Command to JoinLoRa -> GW : Join RequestGW -> NS : Join RequestNS -> JS : Join RequestJS -> NS : Join Response + NwkSkeyJS -> NS : AppSKey or Wrapped AppSKeyNS -> GW : Join ResponseGW -> LoRa : Join ResponseLoRa -> App : Notification of successful Join@enduml


If multiple network servers report the same join request, only the first eligible request will be answered. All subsequent join requests will be rejected.


Key Wrapping: The LoRa Cloud Join Server can create a wrapped AppSKey for a device. A wrapped AppSKey is an additional encryption method applied to the original AppSKey. The encryption scheme and key are known only to the device owner and the LoRa Cloud Join Server, which protects the application contents from being decrypted by the LoRaWAN network server.

Used By

Embedded application, LR111x/LoRa Edge™ chip, LoRaWAN network server, LoRa Cloud Join Server


  • No suggestions at this time.