docs: Update provisioning documentation with extra details

simensrostad · simensrostad · commit d10ee8fd6078 · 2025-12-16T12:57:30.000+01:00
Update the provisioning documentation to include additional details:
 - What happens during provisioning
 - What can be done after provisioning
 - Link to provisioning in main ToC

Signed-off-by: Simen S. Røstad &lt;simen.rostad@nordicsemi.no&gt;
diff --git a/README.md b/README.md
@@ -107,7 +107,7 @@ west flash --erase
 
 4. Wait for the device to provision credentials and connect to nRF Cloud over CoAP. Once connected, the device should be available under **Device Management** → **Devices**.
 
-See [Provisioning](docs/common/provisioning.md) for more details.
+See [Provisioning to nRF Cloud](docs/common/provisioning.md) for more details.
 </details>
 
 ## System Architecture
@@ -139,6 +139,7 @@ The architecture is detailed in the [Architecture documentation](docs/common/arc
 ## Table of Content
 
 * [Getting Started](docs/common/getting_started.md)
+* [Provisioning to nRF Cloud](docs/common/provisioning.md)
 * [Architecture](docs/common/architecture.md)
   * [System Overview](docs/common/architecture.md#system-overview)
   * [Zbus](docs/common/architecture.md#zbus)
diff --git a/docs/common/provisioning.md b/docs/common/provisioning.md
@@ -2,6 +2,36 @@
 
 Device provisioning establishes credentials for secure communication with nRF Cloud CoAP.
 
+<details>
+<summary><strong>What happens during provisioning?</strong></summary>
+
+The Asset Tracker Template uses the `nrf_provisioning` library to handle device provisioning automatically. The library provisions the root CA certificate for the provisioning service to the modem during boot if it's not already present. During provisioning, the following steps occur:
+
+1. **Secure Connection**: The library establishes a secure DTLS connection to the nRF Cloud CoAP Provisioning Service. The device verifies the server's identity using the root CA certificate.
+
+2. **Device Authentication**: The device authenticates itself using a JWT (JSON Web Token) signed with the modem's factory-provisioned Device Identity private key. This key is securely stored in the modem hardware and cannot be extracted.
+
+3. **Command Retrieval**: After successful authentication, the device requests provisioning commands from the server. These commands typically include cloud access credentials and configuration settings.
+
+4. **Modem Configuration**: To write the received credentials and settings, the library:
+   - Suspends the DTLS session (to maintain the connection state)
+   - Temporarily sets the modem offline
+   - Writes the credentials to the modem's secure storage
+
+5. **Result Reporting**: After executing the commands, the library resumes or re-establishes the DTLS connection (if needed), authenticates again with JWT, and reports the results back to the server. Successfully executed commands are removed from the server-side queue.
+
+6. **Validation**: The device uses the newly provisioned credentials to connect to nRF Cloud CoAP services.
+
+> [!NOTE]
+> The modem must be offline during credential writing because the modem cannot be connected to the network while data is being written to its storage area (credential writing).
+> Therefore its normal that LTE is disconnected/connected multiple times during provisioning.
+>
+> The attestation token is different from the JWT - it's used during the initial device claiming process to prove device authenticity to nRF Cloud, not during the provisioning protocol itself.
+
+For more details on the provisioning library, see the [nRF Cloud device provisioning documentation](https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/libraries/networking/nrf_provisioning.html).
+
+</details>
+
 ## Manual Provisioning
 
 1. Get the device attestation token:
@@ -36,6 +66,19 @@ Device provisioning establishes credentials for secure communication with nRF Cl
 
 1. Once connected, the device will be available under the **Devices** section in the **Device Management** navigation pane on the left.
 
+    <details>
+    <summary><strong>What can I do after provisioning?</strong></summary>
+
+    After your device is provisioned and connected, you can:
+
+    - **Monitor device data**: View real-time data from your device including location, temperature, battery percentage, and other sensor readings in the nRF Cloud portal.
+
+    - **Retrieve data programmatically**: Use the [Message Routing Service](https://docs.nordicsemi.com/bundle/nrf-cloud/page/Devices/MessagesAndAlerts/MessageRoutingService/ReceivingMessages.html) to automatically forward device messages to your own cloud infrastructure or application endpoints.
+
+    - **Perform firmware updates**: Deploy over-the-air firmware updates to your device. See [Firmware Updates (FOTA)](fota.md) for detailed instructions on preparing and deploying firmware updates via nRF Cloud.
+
+    </details>
+
 ### REST API Alternative
 
 You can also use the REST API as an alternative for provisioning by running the following command:
