Authentication

Flexible Authentication

Multiple authentication methods for any architecture. Native Supabase integration, API keys for backends, and custom auth providers.

Get Started Auth Documentation

OAuth-Style Security

Server-Side Token Flow

Secrets stay on your server. Clients receive short-lived tokens that auto-refresh.

Static Credentials

Hardcoded username/password in config or environment variables.

Never expires
Hard to rotate
Same creds for all users

Client-Side Secrets

API keys or secrets bundled in browser/mobile app code.

Exposed in source
Extractable by users
Can't revoke per-user

Server-Side Tokens

Your backend generates short-lived tokens for each client.

Secrets never leave server
Auto-expires (60 min default)
Per-user permissions

How It Works

1 Client → Server Request token

2 Server → CloudSignal POST /tokens

3 CloudSignal → Server Token

4 Server → Client Return token

5 Client → CloudSignal Connect MQTT

Client

Your Server

CloudSignal

1. Request token

2. POST /tokens (API key)

3. Token (60 min TTL)

4. Return token

5. Connect MQTT (token as password)

API key never leaves server

Tokens expire automatically

Auto-refresh supported

Authentication Methods

Choose the auth method that fits your application architecture.

External Identity Providers

Bring your own auth: Supabase, Firebase, Auth0, Clerk, or any OIDC/JWT provider. Your backend exchanges the IdP token for MQTT credentials.

Supabase (native)
Firebase Auth
Auth0 / Clerk
Custom OIDC / JWT

Token-Based Auth

Short-lived MQTT credentials (tkn_ prefix) scoped to a single user. Issued by your backend, expire automatically, revocable on demand.

Configurable TTL
Per-user scoping
Revoke from dashboard
Refresh without re-login

API Keys

Long-lived keys for server-to-server publishes. sk_ for full access, rk_ for restricted scopes. Bcrypt-hashed at rest.

Scoped permissions (sk_/rk_)
Rotation support
Usage analytics
IP allowlisting

Browser OAuth (Dashboard & CLI)

PKCE-style browser flow for `cloudsignal login` and dashboard sign-in. Session tokens stored locally at `~/.cloudsignal/credentials.json`.

Single sign-on for CLI + dashboard
5-minute auth window
Auto session refresh
Clear with cloudsignal logout

Native Integration

Supabase Auth Integration

Connect CloudSignal to your Supabase project. Users authenticated via Supabase automatically get MQTT access with matching permissions.

Use existing Supabase JWT tokens
Sync user roles to ACL permissions
Real-time auth state changes
No additional user management

supabase-mqtt.js

// Supabase + CloudSignal: exchange a Supabase JWT for MQTT credentials
import { createClient } from '@supabase/supabase-js'
import mqtt from 'mqtt'

const supabase = createClient(SUPABASE_URL, SUPABASE_KEY)
const { data: { session } } = await supabase.auth.getSession()

// Your backend exchanges the Supabase JWT for MQTT credentials
const res = await fetch('/api/cloudsignal-token', {
  headers: { Authorization: `Bearer ${session.access_token}` }
})
const { mqtt_credentials } = await res.json()
// mqtt_credentials.username -> "user_xyz@org_k7xm4pqr2n5t"
// mqtt_credentials.password -> "tkn_..." (shown once)

const client = mqtt.connect('wss://connect.cloudsignal.app:18885/', {
  username: mqtt_credentials.username,
  password: mqtt_credentials.password
})

client.on('connect', () => {
  client.subscribe(`users/${session.user.id}/notifications`)
})

Server-Side

Backend & WSS Authentication

Secure authentication for server-to-server communication and backend services.

WSS Backend Authentication

Secure WebSocket connections from your backend services. Authenticate server-side processes without exposing credentials to clients.

mTLS Support

Mutual TLS authentication for enterprise deployments. Both client and server verify each other's certificates.

Auth Webhooks

Custom authentication logic via webhooks. Validate credentials against your own database or identity provider.

OIDC/OAuth2

Standard OAuth2 and OpenID Connect support. Integrate with any compliant identity provider.

backend-publisher.js

// Backend service: use MQTTS with a service account token
import mqtt from 'mqtt'

const client = mqtt.connect('mqtts://mqtt.cloudsignal.app:8883', {
  username: process.env.CLOUDSIGNAL_USERNAME, // e.g. "rest_publisher@org_k7xm4pqr2n5t"
  password: process.env.CLOUDSIGNAL_PASSWORD, // tkn_... or api key
  clientId: `backend-${process.env.SERVICE_NAME}`,
  protocol: 'mqtts'
})

client.on('connect', () => {
  client.publish('events/orders/created', JSON.stringify({
    orderId: 'ord_123',
    userId: 'user_456',
    timestamp: Date.now()
  }), { qos: 1 })
})

Supported Identity Providers

Integrate with your existing authentication infrastructure.

Supabase

Native integration

Firebase

Auth0

Clerk

Custom OIDC / JWT

Any compliant provider

Enterprise

Bring Your Own Auth (BYOA)

Enterprise customers can integrate their existing identity providers via OIDC, JWT, or custom authentication webhooks.

Custom Webhooks

Validate credentials against your own systems

Directory Sync

Sync users from AD/LDAP automatically

for enterprise authentication options.

Ready to Authenticate?

Set up authentication in minutes. Start with Supabase integration or use API keys.

Get Started Free View Auth Docs