Authentication#
Brokers protect access in different ways. MQTT.fx supports the two common approaches: username/password authentication and certificate-based (mutual TLS) authentication. Both are configured per connection profile. A broker may require one, both, or neither.
No authentication#
Many local and public test brokers accept anonymous connections — no credentials at all. In that case leave the authentication options off. An ad-hoc connection (see Your first connection) always connects anonymously.
Username and password#
This is the most common form of MQTT authentication.
- Open the profile's connection options and find the User Credentials section.
- Enable Use Username/Password.
- Enter the User Name and Password.
The password may be left empty if your broker authenticates on the user name alone.
When you are connected with username/password authentication, the connection bar shows an authentication icon; hovering it reveals the user name in a tooltip (see Your first connection).
Watch out: credentials sent over a plain (non-TLS) connection travel unencrypted. For anything beyond local testing, combine username/password auth with TLS so the credentials are protected in transit.
Certificate-based authentication (mutual TLS)#
Some brokers authenticate clients by their TLS client certificate instead of (or in addition to) a username/password. In MQTT.fx this is set up in the TLS/SSL section, using one of the two mutual-TLS modes:
- Certificate Files — provide the client certificate and key as files.
- Certificates from trusted Keystore — provide the client identity from a keystore.
See TLS and security for the full field-by-field setup. Certificate auth and username/password auth can be used together if the broker requires both.
Connecting to cloud brokers#
Hosted MQTT brokers (such as HiveMQ Cloud or EMQX Cloud) are reached with a normal profile: enable TLS, use the broker's TLS port, and set the username and password from the provider's console. There is no special profile type — a standard MQTT broker profile with TLS and credentials is all you need.