Internet of Things (IoT) is evolving as a ubiquitous technology to thrive human lives with minimal time and effort. The resource-constrained IoT devices operating in an ambient environment with minimal or no safeguards are highly susceptible to physical invasion. The existing protocols suffer from huge computing resources required for cryptographic primitives and bandwidth overhead of high message passing during authentication. In addition, few of them suffer from multiple executions of disparate protocols incurring huge latency. Effective use of lightweight primitives with adequate security also propels to rethink the design of IoT protocol. In this work, we developed a lightweight authentication and key exchange protocol that aptly suits the resource-constrained environment. The proposed protocol leverages cryptographic XOR, hash function for secure communication, and Physically Unclonable Function (PUF) for unique device-dependent identity generation and lightweight security solution to prevent physical attacks. This standalone protocol can perform device-to-device and device-to-server authentication without incurring additional communication and computation resources, eradicating the need for disparate protocols. Extensive security analysis against adversarial attacks and bad PUF model-based attacks are formally verified. In addition, Scyther verification tool is utilized for security validation. Performance analysis advocates the lightweight features of this protocol. A prototype implemented with Xilinx Spartan-3E FPGA and Raspberry Pi for a smart street light monitoring system endorses the proposed protocol’s acceptability and safeguards against different adversarial attacks.