Flexible Authentication
Multiple authentication methods for any architecture. Native Supabase integration, API keys for backends, and custom auth providers.
Server-Side Token Flow
Secrets stay on your server. Clients receive short-lived tokens that auto-refresh.
Hardcoded username/password in config or environment variables.
- Never expires
- Hard to rotate
- Same creds for all users
API keys or secrets bundled in browser/mobile app code.
- Exposed in source
- Extractable by users
- Can't revoke per-user
Your backend generates short-lived tokens for each client.
- Secrets never leave server
- Auto-expires (60 min default)
- Per-user permissions
How It Works
Authentication Methods
Choose the auth method that fits your application architecture.
Supabase Auth Integration
Native integration with Supabase Authentication. Your users authenticate once through Supabase, and CloudSignal automatically grants them MQTT access.
- Automatic user provisioning
- JWT token validation
- Row-level security sync
- Real-time auth updates
API Key Authentication
Generate API keys for server-to-server communication. Perfect for backend services that need to publish or subscribe to MQTT topics.
- Scoped permissions
- Rotation support
- Usage analytics
- IP allowlisting
Token-Based Auth
Generate temporary tokens for client devices. Tokens expire automatically and can be revoked at any time.
- Configurable TTL
- One-time use tokens
- Device fingerprinting
- Automatic cleanup
Supabase Auth Integration
Connect CloudSignal to your Supabase project. Users authenticated via Supabase automatically get MQTT access with matching permissions.
- Use existing Supabase JWT tokens
- Sync user roles to ACL permissions
- Real-time auth state changes
- No additional user management
// Supabase + CloudSignal integration
import { createClient } from '@supabase/supabase-js'
import mqtt from 'mqtt'
const supabase = createClient(SUPABASE_URL, SUPABASE_KEY)
// Get the current Supabase session
const { data: { session } } = await supabase.auth.getSession()
// Connect to CloudSignal using Supabase JWT
const client = mqtt.connect('wss://mqtt.cloudsignal.app', {
username: session.user.id,
password: session.access_token
})
client.on('connect', () => {
// User is authenticated via Supabase
// ACL rules based on Supabase user roles
client.subscribe(`users/${session.user.id}/notifications`)
})Backend & WSS Authentication
Secure authentication for server-to-server communication and backend services.
WSS Backend Authentication
Secure WebSocket connections from your backend services. Authenticate server-side processes without exposing credentials to clients.
mTLS Support
Mutual TLS authentication for enterprise deployments. Both client and server verify each other's certificates.
Auth Webhooks
Custom authentication logic via webhooks. Validate credentials against your own database or identity provider.
OIDC/OAuth2
Standard OAuth2 and OpenID Connect support. Integrate with any compliant identity provider.
// Backend WSS authentication
import mqtt from 'mqtt'
// Server-side connection with API key
const client = mqtt.connect('wss://mqtt.cloudsignal.app', {
username: 'api-key',
password: process.env.CLOUDSIGNAL_API_KEY,
clientId: `backend-${process.env.SERVICE_NAME}`
})
client.on('connect', () => {
// Publish events from your backend
client.publish('events/orders/created', JSON.stringify({
orderId: 'ord_123',
userId: 'user_456',
timestamp: Date.now()
}), { qos: 1 })
})Supported Identity Providers
Integrate with your existing authentication infrastructure.
Bring Your Own Auth (BYOA)
Enterprise customers can integrate their existing identity providers via SAML, OIDC, or custom authentication webhooks.
SAML SSO
Enterprise single sign-on integration
Custom Webhooks
Validate credentials against your own systems
Directory Sync
Sync users from AD/LDAP automatically
Contact [email protected] for enterprise authentication options.
Ready to Authenticate?
Set up authentication in minutes. Start with Supabase integration or use API keys.