Authentication

Authentication verifies the identity of an MQTT client before the broker allows it to connect.

When a client sends a CONNECT packet, the broker compares the supplied credentials with the authentication configuration to confirm the client is authorized. The broker accepts or rejects the connection based on the result.

The HiveMQ Platform supports the following authentication methods:

  • Access credentials: A username and password supplied in the CONNECT packet. Use Transport Layer Security (TLS) to encrypt credentials in transit.

  • Client certificates: An X.509 certificate presented during the TLS handshake. Client certificates authenticate a device without a username or password.

  • JSON Web Tokens (JWT): A signed token that the client presents to prove its identity.

Without TLS, the broker receives credentials in plain text. Configure TLS on any broker that uses credential-based authentication.

How Authentication Works

  1. The MQTT client sends a CONNECT packet that includes credentials.

  2. The broker validates the credentials against its authentication configuration.

  3. The broker responds with a CONNACK packet.

    1. If authentication passes, the CONNACK confirms the connection.

    2. If authentication fails, the CONNACK includes a failure code and the broker closes the connection.

For more information about what clients can do after authentication, see Authorization.