Objective: To determine if the "device" which claims to be "A" is really "A".
Method: Maybe password-based scheme used in Website login could be the first method
Once client device is authenticated, the server device (which provides service, e.g. function call) will generate an give some token which the client can use in subseqeuent calls (or messages) to show its identity.
Authorization
Object: To determine if "device A" is authorized to do "some action (add, get, set)" over "some service (event, prop, func)".
Method: Basically, subject-object-action triple authorization scheme is used. (just like unix)