OTAA - root keys: NwkKey, from where?

Setting up a device for OTAA I do need the two root keys AppKey and NwkKey. The former one is shown in the TTN device overview together with the AppEUI and DeviceEUI. In contrast the NwkKey is not shown there.

For the MIC calculation of the JOIN-REQUEST I do need the NwkKey as I understand the LoRaWAN V1.1 spec. What I have missed here? Where I get the root NwkKey from? Any further hints are very welcome.


Both root keys are necessary to generate the corresponding session encryption keys. The appkey and nwkkey are set in the end device if you use otaa (abp: you use the session keys). this requires your end device to be lorawan1.1 compliant. it is not a problem if your end device isnt because lora server allows you to choose older lorawan mac versions in the device profile (see lora-app-server). in lorawan 1.0.2 there was only 1 root key (nwkkey) used to generate the session keys, so you would only need 1 in that case.

Thank you for that info. What I need to know is, how do I get that NwkKey from the TTN homepage.

As I understand the TTN register device page conforms to LoRaWAN V1.02, where there is no NwkKey. Is my assumption right that TTN has to upgrade to V1.1 first before the new NwkKey is distributed or assigned to the device?

With the knowledge being able to work with V1.02 I can JoinRequest --> JoinAccept. Just had some trouble to implement V1.1 in my new device without knowing where to get the NwkKey from.


Sorry, I don’t know TTN. Maybe someon else who uses it can help here :slight_smile:

LoRa Server currently supports LoRaWAN 1.0.x. Therefore there is only one root-key you must set. I’m currently working on LoRaWAN 1.1 integration, when that has been released you will need two root keys (for LoRaWAN 1.1 devices).

Know it’s an old post, but what I’ve seen is that when regenerating appKey in https://server/#/organizations/1/applications/2/devices/.../keys, the nwkKey gets regenerated with a new value and frontend is showing the new value for nwkKey as if it was the appKey.

When calling [GET] /api/devices/{dev_eui}/keys the API returns different values for appKey and nwkKey. The nwkKey gets the new regenerated value, which is the one that is showing in frontend as appKey, but the returned appKey in API keeps the same as old one… It’s little bit confusing as I’m not sure of which will be used to join the device…

I’m I missing anything or this might be a bug?