TLS & DTLS are the basis for our device authentication service as well as how the device authenticates a Golioth instance. The diagram below illustrates how the device's credentials (either an X.509 Certificate or a Pre-Shared Key pair) map to MbedTLS.
At runtime, the device credentials are retrieved from non-volatile storage (or other persistent storage) and provided to the DTLS client. The client and server support both X.509 Certificates and PSK-based authentication.
Generally speaking, certificate-based authentication is more secure and you should use it for your production devices. However, slower devices will take a relatively long time to establish a handshake when applying the Elliptic Curve Digital Signature Algorithm (ECDSA) used by the certificate. For some resource-constrained MCUs (eg: low clock speed), Pre-Shared Key authentication may be a better option. If you have questions, please reach out to our Developer Relations staff.