The disclosure is directed to security management in communications involving computing devices, e.g. Internet of Things (IoT) devices. An IoT device can perform various activities, e.g., social networking activities, for or on behalf of a user. An IoT device is typically insecure, especially when accessing user data. To control the type of activities that can be performed by various types of devices, a server device (“server”) can issue different types of tokens to different IoT devices. Which token an IoT device has determines the types of activities the IoT device can perform. For example, the server can issue a restricted token, which restricts the type of activities an IoT device can perform, and an unrestricted token to a more secure device, e.g., a smartphone, that can perform a broader range of activities. For example, the restrictive token may not permit the IoT device to change the password of a user.