Device authentication and key exchange protocol are essential front line of access controls in IoT security, and physical unclonable function (PUF) is a key enabler to lightweight, lowpower and secure authentication of internet enabled endpoint devices in IoT. Current PUF-enabled authentication protocol requires the verifier to store a sufficiently large number of challenge-response pairs (CRPs) of each of its interlocutors, which makes the protocol impractical in application scenarios where the verifier is a resource-constrained device, especially when the verifier needs to communicate with multiple PUF-embedded endpoints. To solve this problem, a new lightweight PUF-based mutual authentication and key-exchange protocol is proposed in this paper to allow two resource-constrained PUF embedded endpoint devices to authenticate each other without the need to store the CRPs locally, and simultaneously establish the session key for secure data exchange without resorting to public-key algorithm.