Security and Privacy are some of the important aspects to be considered in the large-scale deployment of Internet of Things (IoT) systems. Due to the large number of IoT devices and the different administrative domains in which they operate, traditional approaches involving a Centralized server for managing Authorizations will not be scalable or efficient. In this paper, we propose a Decentralized Capability-Based Access Control framework using IOTA (DCACI); IOTA is an open-source distributed ledger that enables fee-less micro transactions for the IoT. The DCACI framework enables complete privacy and integrity of the Capability tokens using IOTA's Masked Authenticated Messaging (MAM) technology. It enables device owners and users to Grant, Update, Delegate and Revoke the capability tokens. The proposed DCACI framework has been implemented as a proof-of-concept on a resource constrained machine; the results indicate that it is capable of scaling up to large-scale infrastructure such as a Smart City, having millions of IoT devices. © 2019 IEEE.