It is predicted that more than 20 billion IoT devices will be deployed worldwide by 2020. These devices form the critical infrastructure to support a variety of important applications such as smart city, smart grid, and industrial internet. To guarantee that these applications work properly, it is imperative to authenticate these devices and data generated from them. Although digital signatures can be applied for these purposes, the scale of the overall system and the limited computation capability of IoT devices pose two big challenges. In order to overcome these obstacles, we propose DIoTA, a novel decentralized ledger-based authentication framework for IoT devices. DIoTA uses a two-layer decentralized ledger architecture together with a lightweight data authentication mechanism to facilitate IoT devices and data management. We also analyze the performance and security of DIoTA, and explicitly give the major parameters an administrator can choose to achieve a desirable balance between different metrics.