Security overview
How CloudSignal secures your MQTT infrastructure with TLS encryption, token authentication, ACLs, and organization isolation.
CloudSignal secures every connection with TLS, every user with per-organization authentication, and every topic with ACLs. This page is a tour of those layers and the practices that keep them effective.
Security features
Encryption in transit
All CloudSignal connections are encrypted with TLS 1.2+. There are two endpoints, one for native MQTT clients and one for browser-based WebSocket clients.
| Transport | URL | Encryption |
|---|---|---|
| MQTT over TLS | mqtts://mqtt.cloudsignal.app:8883 | TLS 1.2+ |
| MQTT over WSS | wss://connect.cloudsignal.app:18885/ | TLS 1.2+ |
Authentication
CloudSignal supports two authentication methods.
| Method | When to use | Lifetime |
|---|---|---|
| Individual users | Backend services, agents, IoT devices | Permanent until rotated |
| Temporary tokens | Browser clients | 60-minute default TTL |
Individual users are created in the dashboard or via API with usernames in the format username@organization_id. Temporary tokens are minted from your backend, see Server-side tokens.
Authorization (ACLs)
Access control lists define what each user can do:
User: agent-01@org_k7xm4pqr2n5t
PUBLISH: agents/agent-01/#
SUBSCRIBE: agents/agent-01/inbox
User: dashboard@org_k7xm4pqr2n5t
PUBLISH: commands/#
SUBSCRIBE: agents/#ACLs are configured per user in the dashboard.
Organization isolation
Each CloudSignal organization is fully isolated:
| Guarantee | What it means |
|---|---|
| Separate namespaces | Topics are scoped to the organization |
| Independent users | Credentials only work inside their organization |
| Isolated quotas | One organization's usage doesn't affect another |
| Audit logging | Authentication events are logged per organization |
Best practices
For browser applications
| Practice | Why |
|---|---|
| Never embed permanent credentials in client code | Source is visible to users and extensions |
| Mint tokens from your backend | Keep secret keys server-side |
| Verify the user before issuing a token | Prevents anonymous token requests |
| Use short TTLs | Compromised tokens expire quickly |
For backend services and agents
| Practice | Why |
|---|---|
| Unique credentials per service/agent | Limits blast radius if one leaks |
| Use TLS in production | Encrypts all traffic |
| Store credentials in env vars or secret managers | Avoids accidental commits |
| Monitor for anomalies | Unusual patterns hint at compromise |
Security checklist
- Connecting via
mqtts://mqtt.cloudsignal.app:8883orwss://connect.cloudsignal.app:18885/ - Each client has unique credentials
- ACLs configured with least-privilege access
- Browser apps use server-side tokens, not permanent credentials
- Credentials stored in environment variables or a secret manager
- Session history monitored for suspicious activity
Related
- Server-side tokens - Secure browser authentication
- Organization isolation - Multi-tenant security