Access control lists (ACL)

Control which topics your MQTT users can publish and subscribe to with ACL rules.

ACL rules determine which topics your MQTT users can publish to or subscribe from. Use them to isolate tenants, scope agent topics to their owner, and prevent clients from reading data they shouldn't see.

What are ACL rules?

An ACL rule has three components:

Component	Description	Example
User/pattern	Which user(s) the rule applies to	`agent-001` or `agent-%`
Topic	The MQTT topic pattern	`agents/+/state`
Permission	Publish, subscribe, or both	`pubsub`

Why use ACL rules?

Without custom ACL rules, users have access to all topics in your organization by default.

Use ACL rules to:

Goal	Result
Limit agent access	Agents only publish to their own topics
Protect sensitive topics	Only admin users can access system topics
Enforce data flow	Producers publish, consumers subscribe, not vice versa
Multi-tenant isolation	Customer A can't see Customer B's data

Quick example

To allow agent-001 to only publish state updates:

User:       agent-001
Topic:      agents/agent-001/state
Permission: publish

This user can now:

Action	Result
Publish to `agents/agent-001/state`	Allowed
Publish to other topics	Denied
Subscribe to any topic	Denied

Default behavior

Scenario	Default access
No ACL rules defined	Full access to all topics
ACL rules exist for user	Only specified permissions apply
ACL rules exist for other users	User has no access

Once you create any ACL rule for a user, that user is restricted to only the topics explicitly allowed.