Security
YedMQ combines transport encryption, tenant isolation, plugin-driven access control, and authenticated management APIs. This page describes what is wired into the current implementation.
Transport security
YedMQ can expose encrypted listeners for native MQTT clients and browser-based clients.
MQTT over TLS
[listener.tcp_tls]
external = "0.0.0.0:8883"
cert_file = "/path/to/server.crt"
key_file = "/path/to/server.key"
MQTT over WSS
[listener.wss]
external = "0.0.0.0:8084"
cert_file = "/path/to/server.crt"
key_file = "/path/to/server.key"
The current broker configuration consumes cert_file and key_file for TLS listeners. See Listener Configuration for the full listener layout.
Authentication and authorization
YedMQ delegates identity checks and ACL decisions to the plugin system.
Default behavior when no plugin answers
[mqtt]
default_authentication = "allow" # "allow" | "deny"
default_authorization = "allow" # "allow" | "deny"
allowkeeps local development simple.denyis the safer default for controlled environments.
What plugins can decide
During connect and message flows, plugins can validate or reject requests based on:
- username and password
- client ID
- client IP
- publish or subscribe action
- topic name
- tenant assignment
An authentication plugin can return a tenant_id, which becomes the isolation boundary for the client.
REST API protection
The management API uses HTTP Basic Authentication configured in yedmq.toml:
[listener.api.auth]
users = [
{ username = "admin", password = "change_me_in_production" }
]
All /api/v1/* requests must include valid credentials. In real deployments, use strong passwords and avoid exposing the management API directly to untrusted networks.
Tenant isolation as a security boundary
- Different tenants cannot see each other's sessions, topics, or retained messages.
- A client ID only needs to be unique inside one tenant.
- Tenant-scoped REST paths reduce accidental cross-tenant operations.
For more detail on tenant assignment and routing, see Multiple Tenant.