OCPP Authorization: RFID, App, and Offline Auth

By Rodolfo Carrillo

Quick answer

OCPP 1.6 has three authorization paths: online (Charge Point sends Authorize to the CSMS and waits for a response), local list (Charge Point checks a CSMS-managed list of pre-approved tokens), and authorization cache (Charge Point reuses the result from a previous online check). All paths return the same idTagInfo structure with a status of Accepted, Blocked, Expired, Invalid, or ConcurrentTx.

Three authorization paths

Path 1

Online (Authorize)

Charge Point sends the idTag to the CSMS in real time. The CSMS looks up the token in its database and responds with idTagInfo. Requires an active connection.

Path 2

Local Authorization List

CSMS pushes a token list to the Charge Point using SendLocalList. The Charge Point checks this list first, before going online. Works offline once populated.

Path 3

Authorization Cache

Charge Point automatically caches idTagInfo from every successful Authorize exchange. On cache hit, it can authorize without contacting the CSMS.

When a token is presented, the Charge Point checks paths in priority order: Local List → Authorization Cache → Online. The CSMS can configure which paths are enabled via configuration keys LocalAuthListEnabled and AuthorizationCacheEnabled.

Authorize message

The Authorize request carries a single field: idTag — a string of up to 20 characters. In RFID deployments this is typically the UID of the NFC/RFID card, hex-encoded. In app-based charging it may be a backend-assigned token string.

CALL — Authorize

[ 2, "auth-001", "Authorize", "idTag": "04A3B2C1D0E5F6" ]

idTagInfo response

The CSMS responds with an idTagInfo object. This same structure appears in Authorize responses, StartTransaction responses, and local list entries.

Field	Required	Description
status	Yes	Authorization result: Accepted, Blocked, Expired, Invalid, or ConcurrentTx.
expiryDate	No	UTC date-time after which this token is no longer valid. If provided, the Charge Point should reject the token after this date even from cache.
parentIdTag	No	Group token for fleet/family authorization. If the parent token is Accepted, any child token with this parentIdTag is implicitly authorized.

status value	Meaning & Charge Point action
Accepted	Token is valid. Allow the session to proceed.
Blocked	Token is explicitly blocked. Deny the session and present an error.
Expired	Token has passed its expiry date. Deny the session.
Invalid	Token is not recognized in the CSMS database. Deny the session.
ConcurrentTx	Token already has an active transaction on a different connector. Typically deny — confirm with your CSMS documentation.

Local Authorization List

The CSMS manages the local list using two messages: SendLocalList (push an update) and GetLocalListVersion (read the current version number). The Charge Point stores up to LocalAuthListMaxLength entries.

CSMS → CP: SendLocalList (Full update, v42)

[ 2, "ll-001", "SendLocalList",  "listVersion": 42, "updateType": "Full", "localAuthorizationList": [  "idTag": "04A3B2C1D0E5F6", "idTagInfo":  "status": "Accepted", "expiryDate": "2026-01-01T00:00:00Z"  ,
 "idTag": "BLOCKED-CARD-01", "idTagInfo":  "status": "Blocked"   ]  ]

Key rules: updateType: "Full" replaces the entire list. updateType: "Differential" merges entries — adding new ones, updating existing ones, and removing entries that have no idTagInfo. The listVersion must be higher than the current version; the Charge Point rejects downgrades.

Authorization Cache

When AuthorizationCacheEnabled is true, the Charge Point automatically stores the idTagInfo from every successful online Authorize response. On subsequent presentations of the same token, the Charge Point can authorize locally using the cached result without sending a new Authorize request.

💡

The cache is not the same as the local list. The CSMS does not manage it directly. Cached entries expire when their expiryDate is reached, or when the CSMS pushes a new version of the token via SendLocalList that overrides the cached result.

Offline authorization

When the Charge Point cannot reach the CSMS, its behavior depends on three configuration keys:

Configuration key	Effect when offline
LocalAuthListEnabled = true	Charge Point uses the local list to authorize tokens. Works fully offline for listed tokens.
AuthorizationCacheEnabled = true	Charge Point uses cached Authorize results. Works for tokens seen recently. Non-expired cached entries are accepted.
AllowOfflineTxForUnknownId = true	Tokens not in the local list or cache are tentatively accepted and queued for online validation when connectivity resumes. Use with caution in public charging.

OCPP 2.0.1: IdToken

OCPP 2.0.1 replaces the plain idTag string with an IdToken object. Two fields are required: idToken (the token string) and type (the technology type). The type field enables the CSMS to handle different authentication technologies with different validation rules:

type value	Technology
ISO14443	Standard NFC/RFID card (Mifare Classic, Desfire)
ISO15693	Long-range RFID
MacAddress	Device MAC address (OCPP over Wi-Fi)
eMAID	e-Mobility Account Identifier (ISO 15118, Plug & Charge)
EVCCID	Electric Vehicle Communication Controller ID (ISO 15118)
KeyCode	PIN / numeric code
Local	Local account created on the device
NoAuthorization	No token — free charging or guest mode
Central	Backend-generated session token

The 2.0.1 response adds new status values: NoCredit, NotAllowedTypeEVSE, NotAtThisLocation, and NotAtThisTime — enabling richer rejection reasons for prepaid accounts and location-restricted tokens.

Common errors

idTag longer than 20 characters

Truncated RFID UIDs are a silent source of authorization failures. Many RFID readers output 28-character UIDs. Truncate to 20 characters consistently and ensure the CSMS database stores the same truncated value.

Local list version not incremented

A SendLocalList with a version number equal to or lower than the current version is rejected by the Charge Point. Always increment the listVersion with every update — even a Differential one.

Not clearing expired cache entries

If AuthorizationCacheEnabled is true and expiryDate is not set, cached entries never expire. Blocked tokens that were previously Accepted may still authorize from cache. Always include an expiryDate when pushing token updates.

Sending Authorize for every transaction when local list is available

Authorize adds round-trip latency to every session start. For frequently-used tokens, use the local list or cache to authorize locally. Reserve the online Authorize for first-seen tokens.

Rodolfo Carrillo

OCPP integration engineer and creator of OCPP Tools. All articles are verified against the official OCA specification and tested using the on-site tools.

Frequently asked questions

What is the difference between the Local Authorization List and the Authorization Cache?

The Local Authorization List is explicitly managed by the CSMS using SendLocalList — the CSMS decides which tokens are in it and their status. The Authorization Cache is automatically maintained by the Charge Point: it stores the idTagInfo result from every online Authorize response it receives, and uses these cached results when the CSMS is temporarily unreachable.

Can a Charge Point start a session without an internet connection?

Yes, if LocalAuthListEnabled or AuthorizationCacheEnabled is true, the Charge Point can authorize using stored token data. If neither is available and the CSMS is unreachable, the Charge Point behavior depends on the AllowOfflineTxForUnknownId configuration key — if true, unknown tokens are tentatively accepted; if false, they are rejected.

What is a parentIdTag and when is it used?

A parentIdTag groups multiple tokens together — for example, all RFID cards assigned to the same fleet account. If the driver presents a card with parentIdTag "FLEET-001", and the local list or CSMS recognizes "FLEET-001" as Accepted, the session is authorized even if the individual card is not explicitly listed. This enables fleet-level authorization without managing individual cards.

What should the Charge Point do if it receives ConcurrentTx from the CSMS?

ConcurrentTx means the idTag already has an active session on another connector. The Charge Point should refuse to start a new session on this connector. Some CSMS implementations use ConcurrentTx to prevent token sharing across multiple chargers simultaneously.

Is the Authorize message required before every StartTransaction?

No. If the Charge Point has a valid local list or cache entry for the idTag, it may skip Authorize and send StartTransaction directly. The CSMS then re-validates the token in the StartTransaction response via idTagInfo. This reduces round-trip latency for known tokens.

What is SendLocalList updateType Differential vs Full?

Full replaces the entire local list with the new one. Differential adds, updates, or removes specific entries without replacing the whole list — useful for incremental updates when the list is large. The listVersion must always increment with each update.

Sources & further reading

· Open Charge Alliance. (2015). Open Charge Point Protocol 1.6, Edition 2, §4.1 — Authorize. https://openchargealliance.org/my-oca/ocpp/
· Open Charge Alliance. (2015). Open Charge Point Protocol 1.6, Edition 2, Appendix 1 — LocalAuthListEnabled, AuthorizationCacheEnabled, AllowOfflineTxForUnknownId. https://openchargealliance.org/my-oca/ocpp/
· Open Charge Alliance. (2020). Open Charge Point Protocol 2.0.1, §5 — Authorize, IdToken. https://openchargealliance.org/my-oca/ocpp/

Last technical review: May 12, 2025

Continue learning

Reference

StartTransaction & StopTransaction

How authorization result in idTagInfo is used when a transaction starts.

Reference

Remote Start & Stop

Remote sessions also carry an idTag — how authorization works for app sessions.

Comparison

OCPP 1.6 vs 2.0.1

IdTag becomes IdToken object — what changes for your authorization logic.