Build Your Own IoT Smart Lock with Secure Access Management

4 min read Namratha Subramanya on May 31, 2018

Upcoming Webinar!

Upcoming Webinar!

Arduino Microcontroller and the Future of IoT

A demonstration of the powerful impact that Arduino microcontrollers are having on smart home devices and a look at the current market space of the Internet of Things.

Register Here →

As the world becomes more connected, the concept of smart locks has taken off, and the prospect of going keyless is starting to resonate the minds of the current generation. Smart Locks not only make your home safe but also give you more control by allowing you to lock and unlock your door remotely.

For as long as humans have tried to lock up stuff and keep their belongings safe, burglars (hackers in this context) have always tried to break into those locks. How does it sound if we say you can build your own smart lock that allows only you to be able to unlock it?

Today’s users expect to interact in real time. PubNub makes it easy for you to add real-time capabilities to your apps, without worrying about the infrastructure. You can build apps that allow your users to engage in real time across mobile, browser, desktop and server. PubNub powers real-time communication for the Internet of Things and smart devices and provides the infrastructure and APIs for communication for any size IoT deployment. And PubNub Access Management makes it all secure.

The full GitHub repo for this project is available here. And here’s a demo of it in action:

What is Access Manager?

Access Manager extends PubNub’s security framework by providing token-based authorization that allows read and write access control at the user, device and channel level. Access Manager plays a major role in IoT/home automation device management system where secure data is streaming bi-directionally between registered devices and IoT devices like bulbs, sensors or locks.

Setting Up Access Manager

To access Access Manager you need to enable Access Manager in the PubNub Admin Dashboard (sign up first if you haven’t).

Set Access Manager to ON

Set Access Manager to ON


Type ENABLE and click on 'Save Changes'

Type ENABLE and click on ‘Save Changes’

Now you are all set to grant access to the users, groups and channels who can access the data that can be sent or received.

Access Manager operates completely on grant permission scheme and there are 3 levels of access:

  • Access for all users across all channels
  • Access for all users over a specific channel
  • Access for a specific user over a specific channel

Raspberry Pi

The idea here is to power a simple lock mechanism using Raspberry Pi. You can check out our PubNub blogs on how to get connected with Raspberry Pi and how to get started with Raspberry Pi 2 and Python.

Once you set up Raspberry Pi, install Python and import PubNub into your setup using the command:

pip install Pubnub

Grant Access

In order to perform Access Manager operations correctly, you must provide administrative authority. In order to perform an administrative function, you need to include secret_key along with publish_key and subscribe_key.

from pubnub.pnconfiguration import PNConfiguration 
pnconfig = PNConfiguration() 
pnconfig.subscribe_key = 'Enter your subscribe key here' 
pnconfig.publish_key = 'Enter your publish key here' 
pnconfig.secret_key = 'Enter your secret key here' 
pubnub = PubNub(pnconfig)

Your key will have your authentication key authKey . This authKey should be unique to your device. At any point during run-time you can set the authKey using setAuthKey() function.

As discussed earlier, there are 3 levels of access in Access Manager. Smart Locks like many other “Internet of Things” devices are vulnerable to internet hacks. So the highest level of security that can be provided to your Smart Lock using Access Manager is the channel + authKey level access.

if status.category == PNStatusCategory.PNConnectedCategory: 

This example grants 5 minutes access to a user whose auth_key is ‘Valid_key’ in the channel Raspberry. If a user doesn’t have access and tries to publish, they get a 403 error.

Whereas if you have access to publish you can see the following response for your JavaScript grant code:

    error: false,
    operation: 'PNAccessManagerGrant',
    statusCode: 200

Unlock Operation

Once you grant permission to a user of a specific channel, you can try to publish a message on to the device. If the user is authorized to publish on to the lock, you should be able to unlock the device.

function unlock() {
   var pubnub = new PubNub({
      subscribeKey: 'Enter your subscribe key here',
      publishKey: 'Enter your publish key here',
      authKey: 'Valid_key' // Safe to have a combination of characters
      message: 'Unlock',
      channel: 'Raspberry'
   function (status, response) {
      if (status.error) {
        // handle error
       } else {
        console.log("Message Published");

If you are not a valid user or if you do not have grant access and are trying to break the lock, you get the following error if you are using JavaScript:

{error: true, operation: "PNPublishOperation", statusCode: 403, errorData: Error: Forbidden
    at Request.<anonymous> (…, category: "PNAccessDeniedCategory"}


Access Denied

Wrapping Up

Setting up PubNub using Python on to your Raspberry Pi is simple and straight forward. You can provide user level read or write access using Access Manager to make your lock highly secure. PubNub authKey makes sure that only you have the privilege to unlock the IoT making it more secure and reliable.

In our next part, we add OAuth 2.0 to make our app even more secure!