CloudSignal Docs
Getting Started

How CloudSignal works

CloudSignal's architecture, connection flows, and the publish/subscribe model that powers real-time communication.

CloudSignal is a managed MQTT broker that routes real-time messages between your devices, applications, and services. This page covers the core concepts you'll touch when integrating.

The publish/subscribe model

MQTT uses a publish/subscribe (pub/sub) pattern:

  1. Publishers send messages to topics (for example, agents/agent-01/state)
  2. Subscribers listen to topics they care about
  3. The broker (CloudSignal) routes messages from publishers to all matching subscribers

Unlike HTTP request/response, pub/sub is:

PropertyWhat it means
AsynchronousPublishers don't wait for subscribers
DecoupledPublishers and subscribers don't need to know about each other
EfficientOne message reaches many subscribers instantly
Publish / subscribe
Client A
Publisher
CloudSignal broker
Client B
Subscriber
Client C
Subscriber
Client D
Subscriber

Connection options

CloudSignal exposes two encrypted endpoints. Pick the one that matches where your code runs.

MQTT over TLS

AspectValue
URLmqtts://mqtt.cloudsignal.app:8883
Best forBackend services, native MQTT clients, IoT gateways
EncryptionTLS 1.2+

MQTT over WSS

AspectValue
URLwss://connect.cloudsignal.app:18885/
Best forBrowser apps, mobile webviews, environments behind restrictive firewalls
EncryptionTLS 1.2+

For browser apps, use the WSS endpoint with server-side token authentication. Never expose long-lived credentials in client-side code. See Server-side tokens.

Authentication flow

CloudSignal authenticates clients against your organization. The username always carries the organization ID.

Authentication flow
Client
CloudSignal
1. CONNECT username@org_id + password
2. Validate org, user, password
3. CONNACK + apply ACL rules

Two authentication methods

MethodWhen to useLifetime
Individual usersBackend services, IoT devicesPermanent until rotated
Temporary tokensBrowser apps60-minute default TTL
# Individual user
Username: mydevice@org_k7xm4pqr2n5t
Password: devicepassword123

# Temporary token
Username: token_user_xyz@org_k7xm4pqr2n5t
Password: tkn_abc123def456

Topics and ACLs

Topics are hierarchical paths that organize your messages.

chat/conv-7/messages
chat/conv-7/typing
notifications/user-42/inbox
agents/agent-01/state
agents/agent-01/inbox

Wildcards let you subscribe to multiple topics at once.

WildcardMatchesExample
+One levelchat/+/messages matches every room's messages
#All remaining levelschat/# matches everything under chat/

ACLs (access control lists) define what each user can do.

User: agent-01@org_k7xm4pqr2n5t
  - PUBLISH:   agents/agent-01/#
  - SUBSCRIBE: agents/agent-01/inbox

User: dashboard@org_k7xm4pqr2n5t
  - PUBLISH:   commands/#
  - SUBSCRIBE: agents/#

Quality of Service (QoS)

MQTT supports three QoS levels:

QoSGuaranteeBest for
0At most once (fire and forget)High-frequency telemetry where occasional loss is acceptable
1At least once (may duplicate)Important messages where duplicates can be handled
2Exactly onceCritical operations like commands or transactions

Higher QoS adds overhead. Use QoS 0 for telemetry; reach for QoS 1 or 2 only when delivery guarantees are required.

Sessions and message retention

Persistent sessions

When a client connects with clean_session=false:

StepWhat happens
ConnectCloudSignal records the client's subscriptions
DisconnectMessages matching those subscriptions are queued
ReconnectQueued messages are delivered

This enables offline-tolerant apps where clients can miss messages and catch up later.

Retained messages

When you publish with retain=true:

  • The broker stores the last message on that topic
  • New subscribers immediately receive the retained message
  • Useful for "last known state" scenarios
# Publish retained message
PUBLISH agents/agent-01/state: {"status":"idle"} (retain=true)

# Later, a new subscriber connects
SUBSCRIBE agents/agent-01/state
-> Immediately receives: {"status":"idle"}

Organization isolation

Every CloudSignal account belongs to an organization.

  • Users, ACLs, and quotas are scoped to the organization
  • Organizations are completely isolated from each other
  • You can create many users within one organization
  • The organization ID is part of every username: user@organization_id

When you sign up, an organization is created for you automatically.

Next steps

Why CloudSignal?

How CloudSignal compares to self-hosted MQTT brokers, HiveMQ Cloud, and AWS IoT Core, and when managed MQTT is the right choice.

Installation

Install the @cloudsignal/mqtt-client package via npm, yarn, or pnpm.

On this page

The publish/subscribe modelConnection optionsMQTT over TLSMQTT over WSSAuthentication flowTwo authentication methodsTopics and ACLsQuality of Service (QoS)Sessions and message retentionPersistent sessionsRetained messagesOrganization isolationNext steps