An Endpoint is a fully qualified network address and a specific set of security configurations exposed by an OPC UA Server. It describes the exact URL, Security Policy, and Message Security Mode that a Client must use to establish a Secure Channel. Each Server can expose multiple endpoints, allowing different clients to connect using varying levels of encryption and authentication simultaneously.
Glossary
Endpoint

What is an Endpoint?
An endpoint is the network address and security configuration that an OPC UA Server exposes, defining a specific way for a Client to establish a Secure Channel and Session.
The endpoint URL specifies the transport protocol (e.g., opc.tcp://) and the host address. The associated Security Policy defines the cryptographic algorithms for signing and encryption, while the Message Security Mode dictates whether messages are signed, encrypted, or sent in plaintext. A Client discovers available endpoints via the Server's Discovery Service, selecting the one that matches its required security posture before initiating the handshake.
Key Characteristics of an Endpoint
An Endpoint defines the complete set of parameters a Client needs to establish a secure connection to an OPC UA Server. It combines a network address with a specific Security Policy and User Token Policy, representing a distinct way to create a Secure Channel and Session.
Endpoint URL Structure
The Endpoint URL specifies the transport protocol and network address. The scheme opc.tcp:// is the native, high-performance binary protocol, while https:// or opc.wss:// are used for web-friendly JSON Encoding over WebSockets.
- Format:
opc.tcp://<hostname>:<port>/<path> - Default Port: 4840 for
opc.tcp - Example:
opc.tcp://plc-line3.corp:4840/ - Discovery: A Server's GetEndpoints service returns all available URLs
Security Policy Binding
Each Endpoint is bound to a single Security Policy, which defines the cryptographic algorithms for signing and encrypting messages. A Server typically exposes multiple Endpoints with different policies to support diverse client capabilities.
- None: No security, plaintext communication
- Basic128Rsa15: Legacy policy, deprecated
- Basic256: AES-256 encryption, SHA-1 signing
- Basic256Sha256: AES-256 encryption, SHA-256 signing
- Aes128-Sha256-RsaOaep: Modern, recommended policy
- Aes256-Sha256-RsaPss: Highest security level
User Token Policy
The Endpoint also specifies the User Token Policy, which dictates how a human user or application authenticates after the Secure Channel is established. This enables Role-Based Access Control on the Server's Address Space.
- Anonymous: No user identity required
- UserName: Authenticate with username and password
- X.509 Certificate: Authenticate with a user-specific digital certificate
- IssuedToken: Authenticate using an external token service like OAuth2 or JWT
Message Security Mode
The Endpoint's MessageSecurityMode determines the level of protection applied to each message on the wire. This is negotiated during the Secure Channel handshake.
- None: No application-layer security
- Sign: Messages are digitally signed for integrity and non-repudiation, but not encrypted
- SignAndEncrypt: Messages are both signed and encrypted, providing confidentiality and integrity
Endpoint Discovery Process
Clients discover available Endpoints by querying the Server's Discovery Endpoint, a well-known, typically unsecured endpoint used solely for bootstrapping.
- Client connects to the Discovery Endpoint
- Client calls the GetEndpoints service
- Server returns a list of EndpointDescription structures
- Each description contains the Endpoint URL, Security Policy, Security Mode, and User Token Policies
- Client selects a compatible Endpoint and initiates a Secure Channel
Endpoint Identity Validation
During connection, the Client must validate the Server's X.509 Certificate presented by the Endpoint. This prevents man-in-the-middle attacks by ensuring the Server is who it claims to be.
- The certificate's hostname must match the Endpoint URL
- The certificate must be issued by a trusted Certificate Authority
- The certificate must not be expired or revoked
- Clients maintain a Trust List of accepted Server certificates
Frequently Asked Questions
Clear, technically precise answers to the most common questions about OPC UA Endpoints, covering discovery, security configuration, and session establishment for automation engineers and system architects.
An OPC UA Endpoint is a network address and a complete set of security configurations exposed by an OPC UA Server that describes a specific way for a Client to establish a Secure Channel and Session. It functions as the single point of contact for initiating all communication. An Endpoint is defined by a URL (e.g., opc.tcp://192.168.1.100:4840), a Security Policy, and a Message Security Mode. When a Client wants to connect, it first queries the Server's Discovery Endpoint to retrieve a list of available Endpoints. The Client then selects a compatible Endpoint based on its own security capabilities, initiates a TCP connection, and performs a handshake using the specified cryptographic algorithms to create a mutually authenticated, encrypted channel. This mechanism allows a single physical server to offer multiple distinct access methods—for example, one Endpoint with no security for local trusted devices and another with Basic256Sha256 signing and encryption for remote clients traversing the internet.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Endpoint vs. Related OPC UA Concepts
Clarifying the distinct roles of an Endpoint, a Secure Channel, and a Session in establishing OPC UA connectivity.
| Feature | Endpoint | Secure Channel | Session |
|---|---|---|---|
Definition | A network address and security configuration describing a specific way to connect | A long-lived, encrypted communication path providing integrity and confidentiality | A logical connection managing user authentication and service state |
OSI Layer | Application (URL descriptor) | Transport/Session | Application |
Lifetime | Static (configured on Server) | Long-lived (minutes to days) | Long-lived (minutes to days) |
Primary Function | Discovery and capability advertisement | Message signing, encryption, and transport | User identity, browsing, and subscriptions |
Contains Security Policy | |||
Manages User Identity | |||
Created By | Server administrator | Client request to Endpoint | Client request over Secure Channel |
Dependency | None | Requires an Endpoint | Requires a Secure Channel |
Related Terms
Understanding Endpoints requires familiarity with the core communication and security components that establish and protect the connection between OPC UA Clients and Servers.
Secure Channel
The transport-level connection established between an OPC UA application and a host. It provides encryption, message signing, and integrity for all data in transit. Before a Session can be created, a Secure Channel must be opened using the protocols and algorithms defined by the selected Security Policy. This layer ensures that even if packets are intercepted, they cannot be read or tampered with.
Session
A long-lived logical connection between a Client and Server that operates over a Secure Channel. The Session manages user authentication, continuity, and state across multiple service requests. If the underlying Secure Channel breaks, a Session can be transferred to a new channel within a configurable timeout, preserving subscriptions and preventing data loss during network interruptions.
Security Policy
A named set of cryptographic algorithms and key lengths that define how an Endpoint secures communications. Each Endpoint advertises exactly one Security Policy, which specifies:
- Symmetric encryption algorithm (e.g., AES-256)
- Message signing algorithm (e.g., SHA-256)
- Key derivation function
- Asymmetric key wrap algorithm Clients must support the policy to connect.
X.509 Certificate
A digital certificate conforming to the ITU-T X.509 standard, used during the Secure Channel handshake to establish application identity and trust. Each OPC UA application instance has a unique certificate. During the handshake, the Client and Server exchange certificates to prove their identities before any application data flows. Administrators must explicitly trust these certificates to authorize a connection.
Reverse Connect
A connectivity mechanism where the Server initiates the connection to a Client, reversing the typical TCP connection flow. This is critical for edge-to-cloud scenarios where a Server sits behind a firewall or NAT and cannot accept inbound connections. The Server connects to a known Client address, and the Client then establishes the Secure Channel and Session over this reversed transport.
Global Discovery Server
A centralized registry that maintains a list of known OPC UA Servers and their discovery Endpoints. Instead of requiring Clients to know every Server's address, a Client queries the GDS to find available systems across a large, segmented network. The GDS returns the Discovery Endpoint URL for each registered Server, which the Client then uses to retrieve the full list of operational Endpoints.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us