NXP and Golioth: An Integrated Solution for Connecting Bluetooth Devices to the Cloud
Based on a contribution by Kyle Dando, Development Systems Application Engineer, NXP Semiconductors
As wireless IoT ecosystems grow more complex, one challenge stands out: how can developers bring fleets of low-power Bluetooth® Low Energy (BLE) devices into scalable, secure cloud architectures? Wi-Fi and cellular modules are typically designed with IP connectivity in mind. BLE devices, on the other hand, often operate at the edge without a direct path to the internet – and without an IP address.
NXP, together with cloud partner Golioth, is closing this gap with an integrated solution that makes BLE devices first-class citizens in the cloud. Using NXP’s wireless gateways and Golioth’s Pouch technology, developers can stream encrypted data from BLE devices to the cloud with production-ready security and straightforward enablement.
Why BLE Needs a Different Path to the Cloud
BLE is firmly established in IoT: sensors, wearables, controllers and battery-powered embedded devices rely on Bluetooth Low Energy for short-range, energy-efficient communication. But historically, connecting these devices directly to cloud platforms has been difficult because:
BLE devices usually don’t have an IP stack
They rely on gateways, phones or hubs to reach the internet
Security, identity management and data routing often require custom implementations
The result: fragmented architectures, ad-hoc integrations and long development cycles. Manufacturers need a way to treat BLE devices like any other secure, addressable asset in their cloud environment – without sacrificing low power and simplicity at the edge.
Golioth: “Serial Port to the Cloud”
Golioth, an NXP partner specializing in IoT cloud infrastructure, provides middleware that sits between embedded devices and cloud services. The platform gives manufacturers a:
Secure, production-ready connectivity layer
Unified device management and data routing
Scalable infrastructure for fleets of connected devices
Traditionally, such platforms focused on devices connecting via Wi-Fi or cellular. With Pouch, Golioth extends this approach to BLE devices that are not internet-ready, using a gateway to carry data into the cloud while preserving end-to-end security.
Inside Pouch: How BLE Data Reaches the Cloud Securely
Pouch is an encapsulation technology for BLE data packets. It ensures that data is protected from the moment it leaves the device until it arrives at the cloud.
Encryption at the Device
Each BLE device is provisioned with credentials for a specific project. Using a certificate and key pair, the device encrypts its payload locally before any gateway interaction. Sensitive data is never exposed in transit.Data Wrapping into a “Pouch”
The encrypted payload is then combined with metadata – such as device identity and project association – and wrapped into a Pouch packet. This structure makes it easy for the cloud to understand who sent the data and where it belongs, without intermediaries needing to decrypt it.Gateway Transit with NXP Hardware
A gateway, such as NXP’s FRDM-RW612 or FRDM-MCX W71, receives the Pouch packets and forwards them to the Golioth cloud. Crucially, the gateway does not decrypt the payload, does not modify the data structure and acts as a transparent transport layer between device and cloud. This keeps the security perimeter tight and simplifies gateway implementation for developers.Cloud-Side Validation and Processing
Once the packet reaches the Golioth cloud, the platform verifies the device certificate using a trusted Root CA, confirms that the gateway is authorized for the same project and routes and processes the data according to the project configuration.
From the cloud’s perspective, each BLE device behaves like a secure, addressable endpoint – even though it never directly touches the internet.
Built on Zephyr: A Shared Software Foundation
NXP is a founding member of the Zephyr Project and has contributed a broad wireless portfolio supported by the Zephyr RTOS. Golioth also builds on Zephyr for its cloud client stack. This shared foundation has several advantages for developers:
Cross-platform support: Zephyr runs on a wide range of NXP wireless devices.
Consistent enablement: Drivers, examples and connectivity stacks are aligned across hardware and cloud.
Faster time-to-market: New BLE platforms can be brought online using familiar APIs and tools.
By combining NXP’s Zephyr-enabled wireless portfolio with Golioth’s Zephyr-based client libraries, developers benefit from a streamlined path from prototype to production.
NXP’s BLE Gateways: FRDM-RW612 and FRDM-MCX W71
To make it easy to get started, NXP provides wireless development boards that can be used as gateways in a BLE-to-cloud architecture:
FRDM-RW612 – A tri-radio device supporting Wi-Fi 6, Bluetooth Low Energy and 802.15.4, ideal for multiprotocol gateways.
FRDM-MCX W71 – A powerful wireless MCU platform that can serve as a flexible BLE and Wi-Fi gateway.
With Pouch support and Zephyr enablement, these boards allow developers to:
Prototype a BLE cloud gateway quickly
Run example applications that show end-to-end connectivity with Golioth
Scale designs from evaluation to custom hardware using the same software stack
Getting Started
Developers who want to see BLE-to-cloud connectivity in action can:
Use NXP’s FRDM-RW612 or FRDM-MCX W71 as a BLE gateway
Integrate the Golioth Pouch libraries on their BLE devices
Follow the software example on NXP’s Bluetooth Cloud page to see how encrypted data flows from the device to the Golioth cloud via an NXP gateway.
Conclusion
By combining NXP’s wireless gateway hardware, Zephyr-based enablement and Golioth’s Pouch technology, manufacturers gain a clear, secure and scalable path to bring BLE devices into their cloud strategies. Devices remain simple and energy-efficient at the edge, while the cloud gains full visibility and control over data and identity.