Security

Authentication

MQTT clients authenticate using the username and password fields in the MQTT CONNECT packet. LavinMQ validates these credentials against the same authentication chain used by AMQP, supporting local users or OAuth2.

For OAuth2, the password field carries the JWT token.

The username field supports an optional vhost prefix using the format vhost:username. If no colon is present, the default_vhost configured in the [mqtt] section is used.

TLS

MQTT clients can connect over an encrypted connection using MQTTS on port 8883. TLS termination is handled by LavinMQ directly.

Access control

By default, MQTT permission checks are disabled. Any authenticated client can publish and subscribe to any topic. Permission checks are enabled by setting permission_check_enabled = true in the [mqtt] section of the configuration.

When enabled, LavinMQ enforces standard AMQP ACL rules on MQTT operations:

Publishing requires write permission on the MQTT exchange:

mqtt.default

Subscribing requires:

• Read permission on mqtt.default
• Write permission on the client’s session queue, named mqtt.<client_id>

For example, a client with the client ID sensor-01 uses a session queue named:

mqtt.sensor-01

Virtual host isolation

LavinMQ creates a dedicated MQTT broker instance per virtual host. Isolating workloads into separate vhosts keeps sessions, subscriptions, retained messages, and routing state completely separate between environments or tenants.

Best practices

• Enable TLS in production using port 8883
• Enable permission_check_enabled and apply least-privilege access rules
• Avoid anonymous access in production environments
• Use virtual hosts to isolate independent workloads