CloudSignal Docs
Getting StartedFeatures

Organization isolation

CloudSignal's multi-tenant model uses organization-based authentication, ACLs, and quotas to keep tenants completely separate.

CloudSignal uses organization-based isolation to keep tenants completely separate. Each organization has its own users, topics, ACLs, and quotas, which makes CloudSignal fit multi-tenant applications.

How it works

When you sign up for CloudSignal, an organization is automatically created:

  • Organization (org_k7xm4pqr2n5t)
    • Users
      • admin@org_k7xm4pqr2n5t
      • agent-01@org_k7xm4pqr2n5t
      • webapp@org_k7xm4pqr2n5t
    • ACL rules
      • agent-01: publish agents/agent-01/#
      • webapp: subscribe agents/#
    • Sessions and messages
    • Quotas (based on plan)

Username format

All CloudSignal usernames include the organization ID:

username@organization_id

For example:

agent-01@org_k7xm4pqr2n5t
dashboard@org_k7xm4pqr2n5t
api-service@org_k7xm4pqr2n5t

This format ensures users from different organizations never collide, even when they share the same local username.

Isolation guarantees

Complete data isolation

  • Messages published in one organization are never visible to another
  • Topic namespaces are entirely separate
  • Two organizations can both have a topic agents/agent-01/state, they're different topics

Separate ACL rules

Each organization defines its own access control:

# Organization A
user-a@org_a can publish to:   agents/#
user-a@org_a can subscribe to: commands/#

# Organization B (completely independent)
user-b@org_b can publish to:   agents/#   # Different namespace
user-b@org_b can subscribe to: data/#

Independent quotas

Quotas are enforced per organization.

ResourceScope
Concurrent connectionsPer organization
Messages per minutePer organization
Retained messagesPer organization
Session storagePer organization

One organization hitting its quota does not affect others.

Building multi-tenant applications

CloudSignal's organization model supports two multi-tenancy patterns.

Pattern 1: one organization per customer

Give each of your customers their own CloudSignal organization:

  • Your SaaS platform
    • Customer A -> Organization org_customer_a
    • Customer B -> Organization org_customer_b
    • Customer C -> Organization org_customer_c
AspectTrade-off
ProsComplete isolation, independent quotas, customers can manage their own users
ConsRequires organization provisioning via API, separate credentials per customer

Pattern 2: topic-based isolation

Use a single organization with topic prefixes for isolation:

  • Your organization: org_your_saas
    • Customer A topics: customer-a/#
    • Customer B topics: customer-b/#
    • Customer C topics: customer-c/#
AspectTrade-off
ProsSimpler management (one organization), cross-customer queries are straightforward
ConsACL rules must enforce isolation, shared quota pool

For SaaS applications with strict isolation requirements, use one organization per customer. For internal applications, topic-based isolation is simpler.

ACL configuration

Access control lists (ACLs) enforce what each user can access:

# Agent can publish only its own messages
Username: agent-01@org_k7xm4pqr2n5t
  Publish:   agents/agent-01/#
  Subscribe: agents/agent-01/inbox

# Dashboard can read everything
Username: dashboard@org_k7xm4pqr2n5t
  Subscribe: agents/#
  Publish:   (none)

# Admin has full access
Username: admin@org_k7xm4pqr2n5t
  Publish:   #
  Subscribe: #

ACLs are configured in the CloudSignal dashboard or via API.

Security considerations

Credential isolation

Never share credentials between organizations. Each organization should have its own:

Credential typePurpose
Admin usersManagement and configuration
Service accountsBackend integrations
Per-agent credentialsOne credential per long-running client
TokensBrowser clients (short-lived)

Audit logging

CloudSignal logs every authentication attempt and connection event per organization:

  • Successful and failed logins
  • Connection and disconnection events
  • ACL violations

Access logs in the dashboard under Session History.

API access

Organization management APIs require authentication:

# List users in your organization
curl -X GET "https://api.cloudsignal.app/v2/users" \
  -H "Authorization: Bearer YOUR_API_KEY"

API keys are scoped to the organization that created them.

Migration and portability

CloudSignal speaks standard MQTT, so your application code isn't locked in:

AspectWhat this means
Same username formatWorks across CloudSignal environments and most managed brokers
Exportable ACLsMigrate your access rules with a one-shot script
Standard clientsAny MQTT 3.1.1 or 5.0 client connects without modification

If you need to migrate, your client code does not change, only the broker hostname.

MQTT transports

Connect to CloudSignal over TLS for backends or WSS for browsers. Two encrypted transports, same MQTT protocol.

Quickstarts

Framework-specific quickstarts for connecting to CloudSignal in under five minutes.

On this page

How it worksUsername formatIsolation guaranteesComplete data isolationSeparate ACL rulesIndependent quotasBuilding multi-tenant applicationsPattern 1: one organization per customerPattern 2: topic-based isolationACL configurationSecurity considerationsCredential isolationAudit loggingAPI accessMigration and portabilityRelated