# MQTT User Authentication

Connectware supports two authentication methods for MQTT clients: Username/password and x.509 certificate with Mutual TLS (mTLS) for [CybusMQ](https://docs.cybus.io/2-0-6/documentation/cybusmq) connections.

| Method            | Client requirements                         |
| ----------------- | ------------------------------------------- |
| Username/Password | Client must provide username and password   |
| Mutual TLS        | Client must provide valid x.509 certificate |

## Username/Password Authentication

MQTT clients can authenticate using a username and password. This authentication method works with all MQTT connection schemes (TCP, WebSocket, SSL/TLS).

## Mutual TLS Authentication

Mutual TLS offers enhanced security by eliminating password transmission and providing stronger client verification. It provides certificate-based authentication:

* Requires a valid x.509 client certificate signed by the Connectware CA.
* The certificate's Common Name (CN) must match a Connectware username with grant type certificate.
* No username or password is needed because possession of a valid certificate proves identity.

## MQTT Permissions

Once authenticated (by either method), MQTT clients can interact with topics based on their assigned permissions:

| Permission  | Allowed actions            |
| ----------- | -------------------------- |
| `read`      | Subscribe to topics        |
| `write`     | Publish to topics          |
| `readWrite` | Both subscribe and publish |

{% hint style="info" %}
To manage MQTT user permissions efficiently, create specific roles with appropriate topic permissions and assign them to users rather than configuring permissions individually. For more information, see [Permissions](https://docs.cybus.io/2-0-6/documentation/user-management/permissions).
{% endhint %}