Overprivilege Attack, a widely reported phenomenon in IoT that accesses unauthorized or excessive resources, is notoriously hard to prevent, trace and mitigate. In this paper, we propose TBAC, a Tokoin-Based Access Control model enabled by blockchain and Trusted Execution Environment (TEE) technologies, to offer fine-grained access control and strong auditability for IoT. TBAC materializes the virtual access power into a definite-amount, secure and accountable cryptographic coin, termed “tokoin” (token+coin), and manages it using atomic and accountable state-transition functions in a blockchain. A tokoin carries a fine-grained policy defined by the resource owner to specify the requirements to be satisfied before an access is granted, and the behavioral constraints that describe the correct procedure to follow during access. The strong-auditability is achieved with blockchain and a TEE-enabled trusted access control object (TACO) to ensure that all access activities are securely monitored and auditable. We prototype TBAC by implementing all its functions with well-studied cryptographic primitives over different blockchain platforms, building a TACO on top of the ARM Cortex-M33 TEE microcontroller, and constructing a user-friendly APP for regular users. A case study is finally presented to demonstrate how TBAC is employed to enable autonomous and secure in-home cargo delivery.