Nowadays, more constrained devices are becoming connected, building an extensive Internet of Things (IoT) network, but suffering from many security issues. In particular, authentication has become a severe research challenge for IoT systems. Furthermore, confidentiality, integrity, and availability are considered the core underpinnings of information security in general. Unfortunately, deploying conventional authentication protocols for IoT devices in practice is challenging for two main reasons. First, IoT devices have limited memory capacity, processing power, and energy resources. Second, these protocols store secret keys in the IoT devices’ volatile memory, making them vulnerable to physical attacks. Luckily, Physical Unclonable Functions (PUF) has emerged as promising low-cost security primitive. A PUF eliminates the need to store secret keys in device memory, making it a potential alternative to deploying more secure and low-cost authentication protocol schemes for IoT systems. Thing-to-Thing (T2T) or direct connection between IoT devices represents a promising technique to enable things to communicate directly without the need for a trusted third party. This paper proposes two novel lightweight Mutual Authentication and Key Exchange Protocols (MAKEP) for IoT devices using PUF. The first scheme, called T2S-MAKEP, ensures secure communication for Thing-to-Server (T2S). The second, called T2T-MAKEP, allows two endpoints of resource-constrained IoT devices, each with an embedded PUF circuit, to communicate securely. Both proposed protocols, T2T-MAKEP and T2S-MAKEP, allow for robust authentication without storing any information on the device’s memory and simultaneously establish the session key exchange. Our proposed protocols have been verified and validated using the automatic security analysis checker, Verifpal.