Skip to main content

MQTT Broker

The TagoDeploy MQTT Broker is a managed MQTT service that runs inside your private TagoDeploy instance. It is single-tenant infrastructure, separate from the public TagoIO MQTT broker, with its own security, access control, and routing to TagoIO.

Use it to deploy one or more private brokers, authenticate devices, set topic-level permissions, and route messages to your projects. You keep full administrative control.

What you get

  • Private MQTT infrastructure inside your TagoDeploy environment
  • TLS encryption with custom certificate management
  • Per-client authentication and topic access control through Groups
  • A live view of connected devices
  • More than one broker in the same TagoDeploy instance
  • Pipelines that forward MQTT messages to your API instance

How it works (high level)

The broker processes data in three stages:

  1. Authenticate: devices connect over TLS using clients you define.
  2. Authorize: Groups and their ACL permissions control publish and subscribe access per topic, and Group Rules assign clients to those groups.
  3. Route: Pipelines forward mapped topics to your API instance with the required authorization and network tokens.

MQTT sub-pages

The broker service splits its configuration across these pages:

  • Overview: broker name, service URL, and service controls.
  • Instances: machine size and autoscaling for the broker service.
  • Settings: broker-level configuration.
  • Clients: credentials that devices use to authenticate.
  • Groups: ACL permissions that allow or deny topic access.
  • Group Rules: rules that assign clients to groups automatically.
  • Connections: live view of devices currently connected.
  • Pipelines: forward incoming MQTT messages to external services. Topic mappings live on the same page.
  • Certificates: TLS certificates that encrypt broker traffic and verify clients.

Typical setup

  • Add the Broker from the App Catalog and track its deployment.
  • Get the broker endpoint from Domains.
  • Create clients with credentials or certificate authentication.
  • Define Groups with ACL permissions for publish and subscribe access.
  • Use Group Rules to assign clients to groups.
  • Configure a Pipeline with the target API URL and tokens, then map topics to it.
  • Connect your devices using their credentials and authorized topics.