Auth Database

Authentication and ACL functions depend on auth database. EMQ cloud uses PostgreSQL as the data source of two functions. Before using authentication and ACL functions, you must open auth database.

Auth Database is a value-added service, which requires you to pay extra fees each month. See the table below for the price information:

Number of connectionsPrice
Less than 100,000$200/month
Less than 500,000$300/month
Less than or equal to 1 million$500/month
More than 1 millionContact business department
Table 1 Auth Database Price Table


After the deployment is successfully launched, you can initialize the database as prompted in the details page  Auth Database  form:

Data Security

When deleting the database, the Authentication and ACL functions will be turned off and all clients and ACL data will be deleted. Please follow the prompts carefully.



Before Authentication is enabled, EMQ Cloud uses anonymous authentication by default, meaning that any client can connect to your deployment.

Based on MQTT, Authentication perform connection authentication through a preset Client ID and password, and provides functions such as viewing device online status , changing status change time , and so on.

Enabling conditions

  • Before enabling client authentication, the Auth Database must be initialized.

Client Management

You can add, delete, and modify the client. The modification can only disable/enable the client. If you need to change the password, you can only delete the previously added and then add the new.

Cloud supports batch import of csv format files, and you can download template files for import


Use the added clientid and password to connect. After the connection is successful, you can see the client online time and status.


  • When the client authentication function is enabled/disabled, the system will restart EMQX Broker, so please ensure that the restart will not affect you



After the ACL function is enabled, you can restrict subscribe and publish actions of client globally and at the client level. You can also use placeholders to implement dynamic ACLs.

Enabling condition

  • Before enabling ACL, the Auth Database must be initialized

Built-in ACL

EMQ Cloud sets the following ACLs by default:

  • -Allow all devices to publish/subscribe to any topic

  • Prohibit  non-local devices to publish/subscribe $SYS/#  and # topics

Enabling conditions

  • Before enabling ACL, the Database must be initialized

ACL Management

You can add and delete ACL rules on the interface. EMQ Cloud supports batch import of csv format files. You can also download template files for import.

ACL Sample

Global ACL 

Prohibit all devices from subscribing to the /a topic:

Select clientid as All ($ all), which matches all clients

Client ACL

Prohibit devices with clientid test_client from publish/subscribe/b:

Dynamic ACL

EMQ Cloud supports dynamic ACL settings using placeholders in topics. The supported placeholders are as follows:

  • Client ID placeholder %c, which will replace the current client Client ID when matched

  • Username placeholder %u, which will replace the current client Username when matched

ACL Rule coverage

The ACL is based on the most recent creation, that is, the ACL above the list (most recently created) will partially/fully override the rules below the list.

In the rule shown in the figure below, the bottom rule prohibits all devices from subscribing to the topic /a, and the top rule allow that device with Client ID istest_client subscribing to the topic /a.

The actual effect is: only test_client is allowed to subscribe to the topic /a.


  • The new ACL will take effect immediately. It will take a minute after the existing ACL is deleted or changed to take effect.

  • When enabling/disabling the ACL function, the system will  restart the EMQX broker, so please ensure that the restart will not affect you