In this paper, we propose OSCAR, an architecture for end-to-end security in the Internet of Things. It is based on the concept of object security that relates security with the application payload. The architecture includes Authorization Servers that provide clients with Access Secrets that enable them to request resources from constrained CoAP nodes. The nodes reply with the requested resources that are signed and encrypted. The scheme intrinsically supports multicast, asynchronous traffic, and caching. We have evaluated OSCAR in two cases: 802.15.4 Low Power and Lossy Networks (LLN) and Machine-to-Machine (M2M) communication on two different hardware platforms and MAC layers on a real testbed and using the Cooja emulator. The results show that OSCAR outperforms a security scheme based on DTLS when the number of nodes increases. OSCAR also results in low energy consumption and latency.