Security & ACL

Enterprise-Grade Security for Real-Time

Secure your MQTT connections with encryption, topic-level permissions, and multiple auth providers.

Start Building SecureSecurity Documentation

Security Built Into Every Layer

From transport encryption to fine-grained access control, CloudSignal protects your data at every step.

Enterprise-Grade WSS Security

Bank-level TLS 1.3 encryption for all WebSocket connections. Your real-time data is protected with the same security standards used by financial institutions.

Visual ACL Editor

Design access control rules with our intuitive visual editor. Define who can publish or subscribe to topics without writing code.

Comprehensive Audit Logs

Track every connection, publish, subscribe, and administrative action. Full visibility into your messaging infrastructure for compliance and debugging.

Organization Isolation

Complete data separation between tenants. Each organization operates in its own isolated namespace with dedicated credentials and access controls.

Multiple Auth Providers

Native Supabase Auth integration, token-based authentication, API keys, JWT validation, and OAuth/OIDC. Backend WSS auth for server-to-server communication.

Data Protection

Messages encrypted in transit. Optional message persistence with encryption at rest. Automatic data retention policies.

Access Control

ACL v2: Policy-Based Access Control

Define topic-level permissions with identity-aware policies. ACL v2 introduces variable bindings, preset templates, a built-in policy simulator, and CLI tooling for version-controlled deployments.

Identity-Bound Topics
Variable bindings like {email}, {user_id}, {agent_id}, {session_id}, and {client_id} scope topics to individual identities automatically
5 Preset Templates
Start from Permit All, Notifications, Agent Pipelines, Chat Channels, or Blank (deny-all) and customize from there
Policy Simulator
Test ACL rules against real topic patterns before deploying — catch misconfigurations without affecting live clients
CLI-Driven Deployment
Validate and push policies with cloudsignal acl validate and cloudsignal acl update for repeatable, reviewable deployments
acl-policy.json
{
  "version": "2.0",
  "default_action": "deny",
  "rules": [{
    "topic": "/{email}/inbox",
    "action": "subscribe",
    "effect": "allow"
  }, {
    "topic": "/broadcast/#",
    "action": "subscribe",
    "effect": "allow"
  }]
}
Enterprise

Advanced Security for Enterprise

Additional security features and compliance certifications for organizations with advanced requirements.

Bring Your Own Auth (BYOA)

Integrate your existing identity provider. Support for SAML, OIDC, and custom authentication webhooks for seamless SSO.

Private Endpoints

Dedicated infrastructure with private network connectivity. VPC peering and private link support for enterprise deployments.

Custom Retention Policies

Define custom data retention periods to meet your compliance requirements. Automatic purging and archival options.

Dedicated Infrastructure

Single-tenant deployments with dedicated compute and storage. Custom scaling and performance guarantees.

Security You Can Trust

Built on a battle-tested MQTT infrastructure trusted by teams worldwide for mission-critical real-time deployments.

99.9%
Uptime SLA
TLS 1.3
Encryption
24/7
Monitoring
<100ms
Latency

Ready for Secure Real-Time?

Start with our free tier or contact us for enterprise security requirements.

Start FreeContact Enterprise Sales

Questions about security? [email protected]