Inferensys

Glossary

Endpoint

A network address and set of security configurations exposed by an OPC UA Server, describing a specific way for a Client to establish a Secure Channel and Session.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
OPC UA CONNECTIVITY

What is an Endpoint?

An endpoint is the network address and security configuration that an OPC UA Server exposes, defining a specific way for a Client to establish a Secure Channel and Session.

An Endpoint is a fully qualified network address and a specific set of security configurations exposed by an OPC UA Server. It describes the exact URL, Security Policy, and Message Security Mode that a Client must use to establish a Secure Channel. Each Server can expose multiple endpoints, allowing different clients to connect using varying levels of encryption and authentication simultaneously.

The endpoint URL specifies the transport protocol (e.g., opc.tcp://) and the host address. The associated Security Policy defines the cryptographic algorithms for signing and encryption, while the Message Security Mode dictates whether messages are signed, encrypted, or sent in plaintext. A Client discovers available endpoints via the Server's Discovery Service, selecting the one that matches its required security posture before initiating the handshake.

OPC UA CONNECTIVITY

Key Characteristics of an Endpoint

An Endpoint defines the complete set of parameters a Client needs to establish a secure connection to an OPC UA Server. It combines a network address with a specific Security Policy and User Token Policy, representing a distinct way to create a Secure Channel and Session.

01

Endpoint URL Structure

The Endpoint URL specifies the transport protocol and network address. The scheme opc.tcp:// is the native, high-performance binary protocol, while https:// or opc.wss:// are used for web-friendly JSON Encoding over WebSockets.

  • Format: opc.tcp://<hostname>:<port>/<path>
  • Default Port: 4840 for opc.tcp
  • Example: opc.tcp://plc-line3.corp:4840/
  • Discovery: A Server's GetEndpoints service returns all available URLs
02

Security Policy Binding

Each Endpoint is bound to a single Security Policy, which defines the cryptographic algorithms for signing and encrypting messages. A Server typically exposes multiple Endpoints with different policies to support diverse client capabilities.

  • None: No security, plaintext communication
  • Basic128Rsa15: Legacy policy, deprecated
  • Basic256: AES-256 encryption, SHA-1 signing
  • Basic256Sha256: AES-256 encryption, SHA-256 signing
  • Aes128-Sha256-RsaOaep: Modern, recommended policy
  • Aes256-Sha256-RsaPss: Highest security level
03

User Token Policy

The Endpoint also specifies the User Token Policy, which dictates how a human user or application authenticates after the Secure Channel is established. This enables Role-Based Access Control on the Server's Address Space.

  • Anonymous: No user identity required
  • UserName: Authenticate with username and password
  • X.509 Certificate: Authenticate with a user-specific digital certificate
  • IssuedToken: Authenticate using an external token service like OAuth2 or JWT
04

Message Security Mode

The Endpoint's MessageSecurityMode determines the level of protection applied to each message on the wire. This is negotiated during the Secure Channel handshake.

  • None: No application-layer security
  • Sign: Messages are digitally signed for integrity and non-repudiation, but not encrypted
  • SignAndEncrypt: Messages are both signed and encrypted, providing confidentiality and integrity
05

Endpoint Discovery Process

Clients discover available Endpoints by querying the Server's Discovery Endpoint, a well-known, typically unsecured endpoint used solely for bootstrapping.

  1. Client connects to the Discovery Endpoint
  2. Client calls the GetEndpoints service
  3. Server returns a list of EndpointDescription structures
  4. Each description contains the Endpoint URL, Security Policy, Security Mode, and User Token Policies
  5. Client selects a compatible Endpoint and initiates a Secure Channel
06

Endpoint Identity Validation

During connection, the Client must validate the Server's X.509 Certificate presented by the Endpoint. This prevents man-in-the-middle attacks by ensuring the Server is who it claims to be.

  • The certificate's hostname must match the Endpoint URL
  • The certificate must be issued by a trusted Certificate Authority
  • The certificate must not be expired or revoked
  • Clients maintain a Trust List of accepted Server certificates
OPC UA ENDPOINT ESSENTIALS

Frequently Asked Questions

Clear, technically precise answers to the most common questions about OPC UA Endpoints, covering discovery, security configuration, and session establishment for automation engineers and system architects.

An OPC UA Endpoint is a network address and a complete set of security configurations exposed by an OPC UA Server that describes a specific way for a Client to establish a Secure Channel and Session. It functions as the single point of contact for initiating all communication. An Endpoint is defined by a URL (e.g., opc.tcp://192.168.1.100:4840), a Security Policy, and a Message Security Mode. When a Client wants to connect, it first queries the Server's Discovery Endpoint to retrieve a list of available Endpoints. The Client then selects a compatible Endpoint based on its own security capabilities, initiates a TCP connection, and performs a handshake using the specified cryptographic algorithms to create a mutually authenticated, encrypted channel. This mechanism allows a single physical server to offer multiple distinct access methods—for example, one Endpoint with no security for local trusted devices and another with Basic256Sha256 signing and encryption for remote clients traversing the internet.

DISTINGUISHING NETWORK ACCESS POINTS

Endpoint vs. Related OPC UA Concepts

Clarifying the distinct roles of an Endpoint, a Secure Channel, and a Session in establishing OPC UA connectivity.

FeatureEndpointSecure ChannelSession

Definition

A network address and security configuration describing a specific way to connect

A long-lived, encrypted communication path providing integrity and confidentiality

A logical connection managing user authentication and service state

OSI Layer

Application (URL descriptor)

Transport/Session

Application

Lifetime

Static (configured on Server)

Long-lived (minutes to days)

Long-lived (minutes to days)

Primary Function

Discovery and capability advertisement

Message signing, encryption, and transport

User identity, browsing, and subscriptions

Contains Security Policy

Manages User Identity

Created By

Server administrator

Client request to Endpoint

Client request over Secure Channel

Dependency

None

Requires an Endpoint

Requires a Secure Channel

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.