# MQTT Users

There are two ways to authenticate MQTT clients depending on the configuration of the Broker’s [environment variable](https://docs.cybus.io/1-9-0/documentation/configuration/environment-variables) *CYBUS\_BROKER\_USE\_MUTUAL\_TLS*. If set to `no` username and password need to be provided to the MQTT client; if set to `yes` then mutual TLS is activated in the Broker and MQTT clients need to provide an x.509 certificate that is valid for the CA cert installed for Connectware.

Mutual TLS works only over the MQTT connection scheme and needs a certificate created with a Common Name (CN) that matches a Connectware username with grant type *certificate*. When using Mutual TLS no username and password are required for authentication as the possession of the certificate implies the right to access the Broker.

The credentials of a User with grant type *password* can be used with an MQTT client to connect to Connectware and then subscribe topics and/or publish data on topics.

* *Subscriptions* are permitted on the topics with the `read` permission.
* *Publishing* is permitted on topics with the `write` permission.
* Topics with the `readWrite` permission are available for both *subscribing and publishing*.