Skip to content

Configuration Manual

EMQX Configuration File Manual.

The Erlang/OTP platform application is composed of distributed Erlang nodes (processes). Each Erlang node (process) needs to be assigned a node name for mutual communication between nodes. All Erlang nodes (processes) in communication are authenticated by a shared cookie.

Type: string

Default: emqx@

Unique name of the EMQX node. It must follow %name%@FQDN or %name%@IPv4 format.


Type: string

Secret cookie is a random string that should be the same on all nodes in the given EMQX cluster, but unique per EMQX cluster. It is used to prevent EMQX nodes that belong to different clusters from accidentally connecting to each other.


Type: integer

Default: 2097152

Optional: 1024-134217727

Maximum number of simultaneously existing processes for this Erlang system. The actual maximum chosen may be much larger than the Number passed. For more information, see:


Type: integer

Default: 1048576

Optional: 1024-134217727

Maximum number of simultaneously existing ports for this Erlang system. The actual maximum chosen may be much larger than the Number passed. For more information, see:


Type: integer

Default: 8192

Optional: 1-2097151

Erlang's distribution buffer busy limit in kilobytes.


Type: pos_integer

Default: 262144

Max number of ETS tables


Type: string

Path to the persistent data directory.
Possible auto-created subdirectories are:

  • mnesia/<node_name>: EMQX's built-in database directory.
    For example, mnesia/emqx@
    There should be only one such subdirectory.
    Meaning, in case the node is to be renamed (to e.g. emqx@,
    the old dir should be deleted first.
  • configs: Generated configs at boot time, and cluster/local override configs.
  • patches: Hot-patch beam files are to be placed here.
  • trace: Trace log files.

NOTE: One data dir cannot be shared by two or more EMQX nodes.


Type: disabled | duration

Default: 15m

Periodic garbage collection interval. Set to disabled to have it disabled.


Type: file

Default: log/erl_crash.dump

Location of the crash dump file.


Type: duration_s

Default: 30s

This variable gives the number of seconds that the emulator is allowed to spend writing a crash dump. When the given number of seconds have elapsed, the emulator is terminated.

  • If setting to 0 seconds, the runtime system does not even attempt to write the crash dump file. It only terminates.
  • If setting to a positive value S, wait for S seconds to complete the crash dump file and then terminates the runtime system with a SIGALRM signal.
  • A negative value causes the termination of the runtime system to wait indefinitely until the crash dump file has been completely written.


Type: bytesize

Default: 100MB

This variable sets the maximum size of a crash dump file in bytes. The crash dump will be truncated if this limit is exceeded. If setting it to 0, the runtime system does not even attempt to write a crash dump file.


Type: duration_s

Default: 2m

This is the approximate time an EMQX node may be unresponsive until it is considered down and thereby disconnected.


Type: integer

Default: 23

Maximum depth of the call stack printed in error messages and process_info.


Type: comma_separated_atoms

Default: []

List of Erlang applications that shall be rebooted when the EMQX broker joins the cluster.


Type: string

Deprecated since 5.0.8.


Type: cluster_call


Type: enum

Default: rlog

Optional: mnesia | rlog

Select the backend for the embedded database.
rlog is the default backend, that is suitable for very large clusters.
mnesia is a backend that offers decent performance in small clusters.


Type: enum

Default: core

Optional: core | replicant

Select a node role.
core nodes provide durability of the data, and take care of writes. It is recommended to place core nodes in different racks or different availability zones.
replicant nodes are ephemeral worker nodes. Removing them from the cluster doesn't affect database redundancy
It is recommended to have more replicant nodes than core nodes.
Note: this parameter only takes effect when the backend is set to rlog.


Type: enum

Default: gen_rpc

Optional: gen_rpc | rpc

Protocol used for pushing transaction logs to the replicant nodes.


Type: enum

Default: async

Optional: sync | async

In sync mode the core node waits for an ack from the replicant nodes before sending the next transaction log entry.


EMQX uses a library called gen_rpc for inter-broker communication.
Most of the time the default config should work, but in case you need to do performance fine-tuning or experiment a bit, this is where to look.


Type: enum

Default: async

Optional: sync | async

In sync mode the sending side waits for the ack from the receiving side.


Type: enum

Default: tcp

Optional: tcp | ssl

Transport protocol used for inter-broker communication


Type: integer

Default: 256

The maximum number of batch messages sent in asynchronous mode. Note that this configuration does not work in synchronous mode.


Type: enum

Default: stateless

Optional: manual | stateless

manual: discover ports by tcp_server_port.
stateless: discover ports in a stateless manner, using the following algorithm. If node name is emqxN@, where the N is an integer, then the listening port will be 5370 + N.


Type: integer

Default: 5369

Listening port used by RPC local service.
Note that this config only takes effect when rpc.port_discovery is set to manual.


Type: integer

Default: 5369

Listening port used by RPC local service.
Note that this config only takes effect when rpc.port_discovery is set to manual and driver is set to ssl.


Type: integer

Default: 10

Optional: 1-256

Set the maximum number of RPC communication channels initiated by this node to each remote node.


Type: duration

Default: 5s

Timeout for establishing an RPC connection.


Type: file

Path to TLS certificate file used to validate identity of the cluster nodes. Note that this config only takes effect when rpc.driver is set to ssl.


Type: file

Path to the private key file for the rpc.certfile.
Note: contents of this file are secret, so it's necessary to set permissions to 600.


Type: file

Path to certification authority TLS certificate file used to validate rpc.certfile.
Note: certificates of all nodes in the cluster must be signed by the same CA.


Type: duration

Default: 5s

Timeout for sending the RPC request.


Type: duration

Default: 5s

Timeout for the remote node authentication.


Type: duration

Default: 15s

Timeout for the reply to a synchronous RPC.


Type: duration_s

Default: 15m

How long the connections between the brokers should remain open after the last message is sent.


Type: duration_s

Default: 75s

The interval between keepalive messages.


Type: integer

Default: 9

How many times the keepalive probe message can fail to receive a reply until the RPC connection is considered lost.


Type: bytesize

Default: 1MB

TCP tuning parameters. TCP sending buffer size.


Type: bytesize

Default: 1MB

TCP tuning parameters. TCP receiving buffer size.


Type: bytesize

Default: 1MB

TCP tuning parameters. Socket buffer size in user mode.


Type: boolean

Default: true

Enable compatibility with old RPC authentication.

Cluster Setup

EMQX nodes can form a cluster to scale up the total capacity.
Here holds the configs to instruct how individual nodes can discover each other.

Type: atom

Default: emqxcl

Human-friendly name of the EMQX cluster.


Type: enum

Default: manual

Optional: manual | static | dns | etcd | k8s

Service discovery method for the cluster nodes. Possible values are:

  • manual: Use emqx ctl cluster command to manage cluster.
  • static: Configure static nodes list by setting seeds in config file.
  • dns: Use DNS A record to discover peer nodes.
  • etcd: Use etcd to discover peer nodes.
  • k8s: Use Kubernetes API to discover peer pods.


Type: comma_separated_atoms

Default: []

List of core nodes that the replicant will connect to.
Note: this parameter only takes effect when the backend is set to rlog and the role is set to replicant.
This value needs to be defined for manual or static cluster discovery mechanisms.
If an automatic cluster discovery mechanism is being used (such as etcd), there is no need to set this value.


Type: duration

Default: 5m

Remove disconnected nodes from the cluster after this interval.


Type: boolean

Default: true

If true, the node will try to heal network partitions automatically.


Type: enum

Default: inet_tcp

Optional: inet_tcp | inet6_tcp | inet_tls

The Erlang distribution protocol for the cluster.

  • inet_tcp: IPv4 TCP
  • inet_tls: IPv4 TLS, works together with etc/ssl_dist.conf


Type: cluster_static


Type: cluster_dns


Type: cluster_etcd


Type: cluster_k8s

Cluster Autodiscovery

EMQX supports node discovery and autocluster with various strategies: see Create and manage clusters

manualCreate cluster manually
staticAutocluster by static node list
dnsAutocluster by DNS A Record
etcdAutocluster using etcd
k8sAutocluster on Kubernetes

Create cluster manually

This is the default configuration of clustering, nodes join a cluster by executing ./bin/emqx_ctl join <Node> CLI command:

cluster.discovery = manual

Autocluster by static node list

Service discovery via static nodes. The new node joins the cluster by connecting to one of the bootstrap nodes.


Type: array

Default: []

List EMQX node names in the static cluster. See

Autocluster by DNS Record

Service discovery via DNS SRV records.

Type: string

Default: localhost

The domain name from which to discover peer EMQX nodes' IP addresses. Applicable when cluster.discovery_strategy = dns


Type: enum

Default: a

Optional: a | srv

DNS record type.

Autocluster using etcd

Service discovery using 'etcd' service.


Type: comma_separated_list

List of endpoint URLs of the etcd cluster


Type: string

Default: emqxcl

Key prefix used for EMQX service discovery.


Type: duration

Default: 1m

Expiration time of the etcd key associated with the node. It is refreshed automatically, as long as the node is alive.


Type: ssl_client_opts

Options for the TLS connection to the etcd cluster.

Autocluster on Kubernetes

Service discovery via Kubernetes API server.


Type: string


Kubernetes API endpoint URL.


Type: string

Default: emqx

EMQX broker service name.


Type: enum

Default: ip

Optional: ip | dns | hostname

Address type used for connecting to the discovered nodes. Setting cluster.k8s.address_type to ip will make EMQX to discover IP addresses of peer nodes from Kubernetes API.


Type: string

Default: default

Kubernetes namespace.


Type: string

Default: pod.local

Node name suffix.
Note: this parameter is only relevant when address_type is dns or hostname.

Cluster Call

Options for the 'cluster call' feature that allows to execute a callback on all nodes in the cluster.


Type: duration

Default: 1m

Time interval to retry after a failed call.


Type: integer

Default: 100

Optional: 1-500

Retain the maximum number of completed transactions (for queries).


Type: duration

Default: 5m

Time interval to clear completed but stale transactions. Ensure that the number of completed transactions is less than the max_history.


Configure the log output location, log level, log file storage path, and parameters such as log rotation and overload protection.

File Output Log

Log handler that prints log events to files.


Type: file

Name the log file.


Type: log_rotation


Type: infinity | bytesize

Default: 50MB

This parameter controls log file rotation. The value infinity means the log file will grow indefinitely, otherwise the log file will be rotated once it reaches max_size in bytes.


Type: boolean

Default: true

Enable this log handler.


Type: log_level

Default: warning

The log level for the current log handler. Defaults to warning.


Type: string

Default: system

The time offset to be used when formatting the timestamp. Can be one of:

  • system: the time offset used by the local system
  • utc: the UTC time offset
  • +-[hh]:[mm]: user specified time offset, such as "-02:00" or "+00:00" Defaults to: system.


Type: unlimited | 100..inf

Default: unlimited

Set the maximum length of a single log message. If this length is exceeded, the log message will be truncated. NOTE: Restrict char limiter if formatter is JSON , it will get a truncated incomplete JSON data, which is not recommended.


Type: enum

Default: text

Optional: text | json

Choose log formatter. text for free text, and json for structured logging.


Type: boolean

Default: true

Print logs in a single line if set to true. Otherwise, log messages may span multiple lines.


Type: non_neg_integer

Default: 100

As long as the number of buffered log events is lower than this value, all log events are handled asynchronously. This means that the client process sending the log event, by calling a log function in the Logger API, does not wait for a response from the handler but continues executing immediately after the event is sent. It is not affected by the time it takes the handler to print the event to the log device. If the message queue grows larger than this value, the handler starts handling log events synchronously instead, meaning that the client process sending the event must wait for a response. When the handler reduces the message queue to a level below the sync_mode_qlen threshold, asynchronous operation is resumed.


Type: pos_integer

Default: 3000

When the number of buffered log events is larger than this value, the new log events are dropped. When drop mode is activated or deactivated, a message is printed in the logs.


Type: pos_integer

Default: 8000

If the number of buffered log events grows larger than this threshold, a flush (delete) operation takes place. To flush events, the handler discards the buffered log messages without logging.


Type: log_overload_kill


Type: log_burst_limit


Type: enum

Default: error

Optional: error | progress

Type of supervisor reports that are logged. Defaults to error

  • error: only log errors in the Erlang processes
  • progress: log process startup.


Type: unlimited | non_neg_integer

Default: 100

Maximum depth for Erlang term log formatting and Erlang process message queue inspection.

Console Output Log

Log handler that prints log events to the EMQX console.


Type: boolean

Default: false

Enable this log handler.


Type: log_level

Default: warning

The log level for the current log handler. Defaults to warning.


Type: string

Default: system

The time offset to be used when formatting the timestamp. Can be one of:

  • system: the time offset used by the local system
  • utc: the UTC time offset
  • +-[hh]:[mm]: user specified time offset, such as "-02:00" or "+00:00" Defaults to: system.


Type: unlimited | 100..inf

Default: unlimited

Set the maximum length of a single log message. If this length is exceeded, the log message will be truncated. NOTE: Restrict char limiter if formatter is JSON , it will get a truncated incomplete JSON data, which is not recommended.


Type: enum

Default: text

Optional: text | json

Choose log formatter. text for free text, and json for structured logging.


Type: boolean

Default: true

Print logs in a single line if set to true. Otherwise, log messages may span multiple lines.


Type: non_neg_integer

Default: 100

As long as the number of buffered log events is lower than this value, all log events are handled asynchronously. This means that the client process sending the log event, by calling a log function in the Logger API, does not wait for a response from the handler but continues executing immediately after the event is sent. It is not affected by the time it takes the handler to print the event to the log device. If the message queue grows larger than this value, the handler starts handling log events synchronously instead, meaning that the client process sending the event must wait for a response. When the handler reduces the message queue to a level below the sync_mode_qlen threshold, asynchronous operation is resumed.


Type: pos_integer

Default: 3000

When the number of buffered log events is larger than this value, the new log events are dropped. When drop mode is activated or deactivated, a message is printed in the logs.


Type: pos_integer

Default: 8000

If the number of buffered log events grows larger than this threshold, a flush (delete) operation takes place. To flush events, the handler discards the buffered log messages without logging.


Type: log_overload_kill


Type: log_burst_limit


Type: enum

Default: error

Optional: error | progress

Type of supervisor reports that are logged. Defaults to error

  • error: only log errors in the Erlang processes
  • progress: log process startup.


Type: unlimited | non_neg_integer

Default: 100

Maximum depth for Erlang term log formatting and Erlang process message queue inspection.

Log rotation

By default, the logs are stored in ./log directory (for installation from zip file) or in /var/log/emqx (for binary installation).
This section of the configuration controls the number of files kept for each log handler.


Type: boolean

Default: true

Enable log rotation feature.


Type: integer

Default: 10

Optional: 1-2048

Maximum number of log files.

Log burst limit

Large bursts of log events produced in a short time can potentially cause problems, such as:

  • Log files grow very large
  • Log files are rotated too quickly, and useful information gets overwritten
  • Overall performance impact on the system

Log burst limit feature can temporarily disable logging to avoid these issues.


Type: boolean

Default: true

Enable log burst control feature.


Type: pos_integer

Default: 10000

Maximum number of log events to handle within a window_time interval. After the limit is reached, successive events are dropped until the end of the window_time.


Type: duration

Default: 1s

See max_count.

Log overload kill

Log overload kill features an overload protection that activates when the log handlers use too much memory or have too many buffered log messages.
When the overload is detected, the log handler is terminated and restarted after a cooldown period.


Type: boolean

Default: true

Enable log handler overload kill feature.


Type: bytesize

Default: 30MB

Maximum memory size that the log handler process is allowed to use.


Type: pos_integer

Default: 20000

Maximum allowed queue length.


Type: duration_ms | infinity

Default: 5s

The handler restarts automatically after a delay in the event of termination, unless the value infinity is set, which blocks any subsequent restarts.

MQTT/TCP Listener - 1883

EMQX supports the creation of multiple listeners, and the default MQTT/TCP listener port is 1883.


Type: boolean

Default: true

Enable listener.


Type: ip_port | integer

Default: 1883

IP address and port for the listening socket.


Type: pos_integer

Default: 16

The size of the listener's receiving pool.


Type: infinity | pos_integer

Default: infinity

The maximum number of concurrent connections allowed by the listener.


Type: string

Default: ""

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t.
Set to "" to disable the feature.

Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: atom

Default: default

The configuration zone to which the listener belongs.


Type: limiter:listener_fields

Type of the rate limit.


Type: enum

Default: true

Optional: true | false | quick_deny_anonymous

Set true (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to false to allow any clients with or without authentication information such as username or password to log in. When set to quick_deny_anonymous, it behaves like when set to true, but clients will be denied immediately without going through any authenticators if username is not provided. This is useful to fence off anonymous clients early.


Type: array

Default: ["allow all"]

The access control rules for this listener.


Type: boolean

Default: false

Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.


Type: duration

Default: 3s

Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.


Type: array

Per-listener authentication override. Authentication can be one single authenticator instance or a chain of authenticators as an array. When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.


Type: broker:tcp_opts

MQTT/SSL Listener - 8883

Settings for the MQTT over SSL listener.


Type: boolean

Default: true

Enable listener.


Type: ip_port | integer

Default: 8883

IP address and port for the listening socket.


Type: pos_integer

Default: 16

The size of the listener's receiving pool.


Type: infinity | pos_integer

Default: infinity

The maximum number of concurrent connections allowed by the listener.


Type: string

Default: ""

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t.
Set to "" to disable the feature.

Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: atom

Default: default

The configuration zone to which the listener belongs.


Type: limiter:listener_fields

Type of the rate limit.


Type: enum

Default: true

Optional: true | false | quick_deny_anonymous

Set true (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to false to allow any clients with or without authentication information such as username or password to log in. When set to quick_deny_anonymous, it behaves like when set to true, but clients will be denied immediately without going through any authenticators if username is not provided. This is useful to fence off anonymous clients early.


Type: array

Default: ["allow all"]

The access control rules for this listener.


Type: boolean

Default: false

Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.


Type: duration

Default: 3s

Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.


Type: array

Per-listener authentication override. Authentication can be one single authenticator instance or a chain of authenticators as an array. When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.


Type: broker:tcp_opts


Type: listener_ssl_opts

MQTT Over QUIC/UDP Listener - 14567

Set the MQTT over QUIC UDP listener, which is not enabled by default. And this feature is not available in some operating systems.

For details, please refer to MQTT over QUIC Quick Start.

Settings for the MQTT over QUIC listener.


Type: string

Path to the certificate file. Will be deprecated in 5.1, use .ssl_options.certfile instead.


Type: string

Path to the secret key file. Will be deprecated in 5.1, use .ssl_options.keyfile instead.


Type: array

Default: ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256","TLS_CHACHA20_POLY1305_SHA256"]

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.

NOTE: QUIC listener supports only 'tlsv1.3' ciphers


Type: duration_ms

Default: 0

How long a connection can go idle before it is gracefully shut down. 0 to disable


Type: duration_ms

Default: 10s

How long a handshake can idle before it is discarded.


Type: duration_ms

Default: 0

How often to send PING frames to keep a connection alive. 0 means disabled.


Type: broker:listener_quic_ssl_opts

TLS options for QUIC transport


Type: boolean

Default: true

Enable listener.


Type: ip_port | integer

Default: 14567

IP address and port for the listening socket.


Type: pos_integer

Default: 16

The size of the listener's receiving pool.


Type: infinity | pos_integer

Default: infinity

The maximum number of concurrent connections allowed by the listener.


Type: string

Default: ""

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t.
Set to "" to disable the feature.

Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: atom

Default: default

The configuration zone to which the listener belongs.


Type: limiter:listener_fields

Type of the rate limit.


Type: enum

Default: true

Optional: true | false | quick_deny_anonymous

Set true (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to false to allow any clients with or without authentication information such as username or password to log in. When set to quick_deny_anonymous, it behaves like when set to true, but clients will be denied immediately without going through any authenticators if username is not provided. This is useful to fence off anonymous clients early.

MQTT/WebSocket Listener - 8083

Settings for the MQTT over WebSocket listener.$name.enabled

Type: boolean

Default: true

Enable listener.$name.bind

Type: ip_port | integer

Default: 8083

IP address and port for the listening socket.$name.acceptors

Type: pos_integer

Default: 16

The size of the listener's receiving pool.$name.max_connections

Type: infinity | pos_integer

Default: infinity

The maximum number of concurrent connections allowed by the listener.$name.mountpoint

Type: string

Default: ""

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t.
Set to "" to disable the feature.

Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username$

Type: atom

Default: default

The configuration zone to which the listener belongs.$name.limiter

Type: limiter:listener_fields

Type of the rate limit.$name.enable_authn

Type: enum

Default: true

Optional: true | false | quick_deny_anonymous

Set true (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to false to allow any clients with or without authentication information such as username or password to log in. When set to quick_deny_anonymous, it behaves like when set to true, but clients will be denied immediately without going through any authenticators if username is not provided. This is useful to fence off anonymous clients early.$name.access_rules

Type: array

Default: ["allow all"]

The access control rules for this listener.

Type: boolean

Default: false

Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.

Type: duration

Default: 3s

Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.$name.authentication

Type: array

Per-listener authentication override. Authentication can be one single authenticator instance or a chain of authenticators as an array. When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.$name.tcp_options

Type: broker:tcp_opts$name.websocket

Type: broker:ws_opts

MQTT/WebSocket with SSL Listener - 8084

Settings for the MQTT over WebSocket/SSL listener.


Type: boolean

Default: true

Enable listener.


Type: ip_port | integer

Default: 8084

IP address and port for the listening socket.


Type: pos_integer

Default: 16

The size of the listener's receiving pool.


Type: infinity | pos_integer

Default: infinity

The maximum number of concurrent connections allowed by the listener.


Type: string

Default: ""

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t.
Set to "" to disable the feature.

Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: atom

Default: default

The configuration zone to which the listener belongs.


Type: limiter:listener_fields

Type of the rate limit.


Type: enum

Default: true

Optional: true | false | quick_deny_anonymous

Set true (default) to enable client authentication on this listener, the authentication process goes through the configured authentication chain. When set to false to allow any clients with or without authentication information such as username or password to log in. When set to quick_deny_anonymous, it behaves like when set to true, but clients will be denied immediately without going through any authenticators if username is not provided. This is useful to fence off anonymous clients early.


Type: array

Default: ["allow all"]

The access control rules for this listener.


Type: boolean

Default: false

Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx.


Type: duration

Default: 3s

Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.


Type: array

Per-listener authentication override. Authentication can be one single authenticator instance or a chain of authenticators as an array. When authenticating a login (username, client ID, etc.) the authenticators are checked in the configured order.


Type: broker:tcp_opts


Type: broker:listener_wss_opts


Type: broker:ws_opts

MQTT Basic Parameters

Global MQTT configuration parameters.

Global MQTT configuration.
The configs here work as default values which can be overridden in zone configs


Type: infinity | duration

Default: 15s

After the TCP connection is established, if the MQTT CONNECT packet from the client is not received within the time specified by idle_timeout, the connection will be disconnected. After the CONNECT packet has been accepted by EMQX, if the connection idles for this long time, then the Erlang process is put to hibernation to save OS resources. Note: long idle_timeout interval may impose risk at the system if large number of malicious clients only establish connections but do not send any data.


Type: bytesize

Default: 1MB

Maximum MQTT packet size allowed.


Type: integer

Default: 65535

Optional: 23-65535

Maximum allowed length of MQTT Client ID.


Type: integer

Default: 128

Optional: 1-65535

Maximum topic levels allowed.


Type: qos

Default: 2

Maximum QoS allowed.


Type: integer

Default: 65535

Optional: 0-65535

Maximum topic alias, 0 means no topic alias supported.


Type: boolean

Default: true

Whether to enable support for MQTT retained message.


Type: boolean

Default: true

Whether to enable support for MQTT wildcard subscription.


Type: boolean

Default: true

Whether to enable support for MQTT shared subscription.


Type: boolean

Default: false

Whether to enable support for MQTT exclusive subscription.


Type: boolean

Default: false

Ignore loop delivery of messages for MQTT v3.1.1/v3.1.0, similar to No Local subscription option in MQTT 5.0.


Type: boolean

Default: false

Parse MQTT messages in strict mode. When set to true, invalid utf8 strings in for example client ID, topic name, etc. will cause the client to be disconnected


Type: string

Default: ""

Specify the response information returned to the client. This feature is disabled if is set to "". Applies only to clients using MQTT 5.0.


Type: integer | disabled

Default: disabled

The keep alive that EMQX requires the client to use. If configured as disabled, it means that the keep alive specified by the client will be used. Requires Server Keep Alive in MQTT 5.0, so it is only applicable to clients using MQTT 5.0 protocol.


Type: number

Default: 0.75

The backoff multiplier used by the broker to determine the client keep alive timeout. If EMQX doesn't receive any packet in Keep Alive * Backoff * 2 seconds, EMQX will close the current connection.


Type: 1..inf | infinity

Default: infinity

Maximum number of subscriptions allowed per client.


Type: boolean

Default: false

Force upgrade of QoS level according to subscription.


Type: integer

Default: 32

Optional: 1-65535

Maximum number of QoS 1 and QoS 2 messages that are allowed to be delivered simultaneously before completing the acknowledgment.


Type: duration

Default: 30s

Retry interval for QoS 1/2 message delivering.


Type: integer | infinity

Default: 100

For each publisher session, the maximum number of outstanding QoS 2 messages pending on the client to send PUBREL. After reaching this limit, new QoS 2 PUBLISH requests will be rejected with 147(0x93) until either PUBREL is received or timed out.


Type: duration

Default: 300s

For client to broker QoS 2 message, the time limit for the broker to wait before the PUBREL message is received. The wait is aborted after timed out, meaning the packet ID is freed for new PUBLISH requests. Receiving a stale PUBREL causes a warning level log. Note, the message is delivered to subscribers before entering the wait for PUBREL.


Type: duration

Default: 2h

Specifies how long the session will expire after the connection is disconnected, only for non-MQTT 5.0 connections.


Type: non_neg_integer | infinity

Default: 1000

Maximum queue length. Enqueued messages when persistent client disconnected, or inflight window is full.


Type: map | disabled

Default: disabled

Topic priorities. Priority number [1-255] There's no priority table by default, hence all messages are treated equal.

NOTE: Comma and equal signs are not allowed for priority topic names. NOTE: Messages for topics not in the priority table are treated as either highest or lowest priority depending on the configured value for mqtt.mqueue_default_priority.

Examples: To configure "topic/1" > "topic/2": mqueue_priorities: {"topic/1": 10, "topic/2": 8}


Type: enum

Default: lowest

Optional: highest | lowest

Default topic priority, which will be used by topics not in Topic Priorities (mqueue_priorities).


Type: boolean

Default: true

Specifies whether to store QoS 0 messages in the message queue while the connection is down but the session remains.


Type: boolean

Default: false

Whether to user Client ID as Username. This setting takes effect later than Use Peer Certificate as Username (peer_cert_as_username) and Use peer certificate as Client ID (peer_cert_as_clientid).


Type: enum

Default: disabled

Optional: disabled | cn | dn | crt | pem | md5

Use the CN, DN field in the peer certificate or the entire certificate content as Username. Only works for the TLS connection. Supported configurations are the following:

  • cn: Take the CN field of the certificate as Username
  • dn: Take the DN field of the certificate as Username
  • crt: Take the content of the DER or PEM certificate as Username
  • pem: Convert DER certificate content to PEM format as Username
  • md5: Take the MD5 value of the content of the DER or PEM certificate as Username


Type: enum

Default: disabled

Optional: disabled | cn | dn | crt | pem | md5

Use the CN, DN field in the peer certificate or the entire certificate content as Client ID. Only works for the TLS connection. Supported configurations are the following:

  • cn: Take the CN field of the certificate as Client ID
  • dn: Take the DN field of the certificate as Client ID
  • crt: Take the content of the DER or PEM certificate as Client ID
  • pem: Convert DER certificate content to PEM format as Client ID
  • md5: Take the MD5 value of the content of the DER or PEM certificate as Client ID


Configuration related to handling PUBLISH packets with a retain flag set to 1.


Type: boolean

Default: true

Enable retainer feature


Type: duration_ms

Default: 0s

Message retention time. 0 means message will never be expired.


Type: duration_ms

Default: 0s

Periodic interval for cleaning up expired messages. Never clear if the value is 0.


Type: retainer:flow_control

Default: {}

Flow control.


Type: bytesize

Default: 1MB

Maximum retained message size.


Type: boolean

Default: false

When the retained flag of the PUBLISH message is set and Payload is empty, whether to continue to publish the message. See:


Type: retainer:mnesia_config

Settings for the database storing the retained messages.

Retainer batching and rate limiting.


Type: non_neg_integer

Default: 0

Size of the batch when reading messages from storage. 0 means no limit.


Type: integer

Default: 0

Optional: 0-1000

The number of retained messages can be delivered per batch.


Type: limiter:internal

The rate limiter name for retained messages' delivery. Limiter helps to avoid delivering too many messages to the client at once, which may cause the client to block or crash, or drop messages due to exceeding the size of the message queue. The names of the available rate limiters are taken from the existing rate limiters under limiter.batch. If this field is empty, limiter is not used.

Configuration of the internal database storing retained messages.


Type: built_in_database

Default: built_in_database

Backend type.


Type: enum

Default: ram

Optional: ram | disc

Specifies whether the messages are stored in RAM or persisted on disc.


Type: non_neg_integer

Default: 0

Maximum number of retained messages. 0 means no limit.


Type: [[integer]]

Default: [[1,2,3],[1,3],[2,3],[3]]

Retainer index specifications: list of arrays of positive ascending integers. Each array specifies an index. Numbers in an index specification are 1-based word positions in topics. Words from specified positions will be used for indexing.
For example, it is good to have [2, 4] index to optimize +/X/+/Y/... topic wildcard subscriptions.

Shared subscription

You can set to enable or disable shared subscription configuration via mqtt.shared_subscription or zone.$name.shared_subscription item.

Per group dispatch strategy for shared subscription


Type: enum

Default: random

Optional: random | round_robin | round_robin_per_group | sticky | local | hash_topic | hash_clientid

Dispatch strategy for shared subscription.

  • random: dispatch the message to a random selected subscriber
  • round_robin: select the subscribers in a round-robin manner
  • round_robin_per_group: select the subscribers in round-robin fashion within each shared subscriber group
  • sticky: always use the last selected subscriber to dispatch, until the subscriber disconnects.
  • hash: select the subscribers by the hash of clientIds
  • local: send to a random local subscriber. If local subscriber was not found, send to a random subscriber cluster-wide

System topics

The EMQX Broker periodically publishes its own status, message statistics, client online and offline events to the system topic starting with $SYS/.

The following options control the behavior of $SYS topics.


Type: disabled | duration

Default: 1m

Time interval of publishing $SYS messages.


Type: disabled | duration

Default: 30s

Time interval for publishing following heartbeat messages:

  • $SYS/brokers/<node>/uptime
  • $SYS/brokers/<node>/datetime


Type: broker:event_names

Client events messages.

MQTT Adds-on

Delayed publish

Settings for the delayed module.


Type: boolean

Default: true

Enable this feature


Type: integer

Default: 0

Maximum number of delayed messages (0 is no limit).

Topic rewrite

The topic rewriting function of EMQX supports rewriting topic A to topic B when the client subscribes to topics, publishes messages, and cancels subscriptions according to user-configured rules. Each rewrite rule consists of three parts: subject filter, regular expression, and target expression. Under the premise that the subject rewriting function is enabled, when EMQX receives a subject-based MQTT message such as a PUBLISH message, it will use the subject of the message to sequentially match the subject filter part of the rule in the configuration file. If the match is successful, the regular expression is used to extract the information in the subject, and then replaced with the target expression to form a new subject. Variables in the format of $N can be used in the target expression to match the elements extracted from the regular expression. The value of $N is the Nth element extracted from the regular expression. For example, $1 is the regular expression. The first element extracted by the expression. It should be noted that EMQX uses reverse order to read the rewrite rules in the configuration file. When a topic can match the topic filter of multiple topic rewrite rules at the same time, EMQX will only use the first rule it matches. Rewrite. If the regular expression in this rule does not match the subject of the MQTT message, the rewriting will fail, and no other rules will be attempted for rewriting. Therefore, users need to carefully design MQTT message topics and topic rewriting rules when using them.


Type: enum

Optional: subscribe | publish | all

Topic rewriting takes effect on the type of operation:

  • subscribe: Rewrite topic when client do subscribe.
  • publish: Rewrite topic when client do publish.
  • all: Both


Type: string

Source topic, specified by the client.


Type: string

Destination topic.


Type: string

Regular expressions

Auto subscribe

After the device logs in successfully, the subscription is automatically completed for the device through the pre-defined subscription representation. Supports the use of placeholders.


Type: array

Default: []

After the device logs in successfully, the subscription is automatically completed for the device through the pre-defined subscription representation. Supports the use of placeholders.

Topic name, placeholders are supported. For example: client/${clientid}/username/${username}/host/${host}/port/${port} Required field, and cannot be empty string


Type: string

Topic name, placeholders are supported. For example: client/${clientid}/username/${username}/host/${host}/port/${port} Required field, and cannot be empty string


Type: qos

Default: 0

Default value 0. Quality of service. At most once (0) At least once (1) Exactly once (2)


Type: integer

Default: 0

Optional: 0-2

Default value 0. This option is used to specify whether the server forwards the retained message to the client when establishing a subscription. Retain Handling is equal to 0, as long as the client successfully subscribes, the server will send the retained message. Retain Handling is equal to 1, if the client successfully subscribes and this subscription does not exist previously, the server sends the retained message. After all, sometimes the client re-initiate the subscription just to change the QoS, but it does not mean that it wants to receive the reserved messages again. Retain Handling is equal to 2, even if the client successfully subscribes, the server does not send the retained message.


Type: integer

Default: 0

Optional: 0-1

Default value 0. This option is used to specify whether the server retains the RETAIN mark when forwarding messages to the client, and this option does not affect the RETAIN mark in the retained message. Therefore, when the option Retain As Publish is set to 0, the client will directly distinguish whether this is a normal forwarded message or a retained message according to the RETAIN mark in the message, instead of judging whether this message is the first received after subscribing(the forwarded message may be sent before the retained message, which depends on the specific implementation of different brokers).


Type: integer

Default: 0

Optional: 0-1

Default value 0. MQTT v3.1.1: if you subscribe to the topic published by yourself, you will receive all messages that you published. MQTT v5: if you set this option as 1 when subscribing, the server will not forward the message you published to you.

Log Trace

Real-time filtering logs for the ClientID or Topic or IP for debugging.


Type: enum

Default: text

Optional: hex | text | hidden

Determine the format of the payload format in the trace file.
text: Text-based protocol or plain text protocol. It is recommended when payload is JSON encoded.
hex: Binary hexadecimal encode. It is recommended when payload is a custom binary protocol.
hidden: payload is obfuscated as ******

Integration With Prometheus

Settings for reporting metrics to Prometheus


Type: string


URL of Prometheus server


Type: duration_ms

Default: 15s

Data reporting interval


Type: [{string, string()}]

Default: {}

A list of HTTP Headers when pushing to Push Gateway.
For example, { Authorization = "some-authz-tokens"}


Type: string

Default: ${name}/instance/${name}~${host}

Job Name that is pushed to the Push Gateway. Available variables:

  • ${name}: Name of EMQX node.
  • ${host}: Host name of EMQX node.
    For example, when the EMQX node name is emqx@ then the name variable takes value emqx and the host variable takes value
    Default value is: ${name}/instance/${name}~${host}


Type: boolean

Default: false

Turn Prometheus data pushing on or off

Integration with StatsD

StatsD metrics collection and push configuration.


Type: boolean

Default: false

Enable or disable StatsD metrics collection and push service.


Type: string


StatsD server address.


Type: duration_ms

Default: 30s

The sampling interval for metrics.


Type: duration_ms

Default: 30s

The push interval for metrics.


Type: map

Default: {}

The tags for metrics.

Slow subscriptions

Slow subscription message latency threshold and statistics policy configuration.


Type: boolean

Default: false

Enable this feature


Type: duration_ms

Default: 500ms

The latency threshold for statistics


Type: duration_ms

Default: 300s

The eviction time of the record, which in the statistics record table


Type: pos_integer

Default: 10

The maximum number of records in the slow subscription statistics record table


Type: enum

Default: whole

Optional: whole | internal | response

The method to calculate the latency

Topic metrics

Configure the topics that require statistics for detailed message flow data.


Type: string

Collect metrics for the topic.

Alarms and Monitoring

Settings for the alarms.


Type: array

Default: ["log","publish"]

The actions triggered when the alarm is activated.
Currently, the following actions are supported: log and publish. log is to write the alarm to log (console or file). publish is to publish the alarm as an MQTT message to the system topics: $SYS/brokers/emqx@xx.xx.xx.x/alarms/activate and $SYS/brokers/emqx@xx.xx.xx.x/alarms/deactivate


Type: integer

Default: 1000

Optional: 1-3000

The maximum total number of deactivated alarms to keep as history.
When this limit is exceeded, the oldest deactivated alarms are deleted to cap the total number.


Type: duration

Default: 24h

Retention time of deactivated alarms. Alarms are not deleted immediately when deactivated, but after the retention time.

Alarm Threshold

This part of the configuration is responsible for monitoring the host OS health, such as free memory, disk space, CPU load, etc.


Type: duration

Default: 60s

The time interval for the periodic CPU check.


Type: percent

Default: 80%

The threshold, as percentage of system CPU load, for how much system cpu can be used before the corresponding alarm is raised.


Type: percent

Default: 60%

The threshold, as percentage of system CPU load, for how much system cpu can be used before the corresponding alarm is cleared.


Type: disabled | duration

Default: 60s

The time interval for the periodic memory check.


Type: percent

Default: 70%

The threshold, as percentage of system memory, for how much system memory can be allocated before the corresponding alarm is raised.


Type: percent

Default: 5%

The threshold, as percentage of system memory, for how much system memory can be allocated by one Erlang process before the corresponding alarm is raised.

This part of the configuration is responsible for monitoring the Erlang processes in the VM. This information can be sent to an external PostgreSQL database. This feature is inactive unless the PostgreSQL sink is configured.

Type: non_neg_integer

Default: 10

The number of top processes per monitoring group

Type: duration

Default: 2s

Specifies how often process top should be collected

Type: non_neg_integer

Default: 1000000

Stop collecting data when the number of processes in the VM exceeds this value

Type: string

Default: ""

Hostname of the PostgreSQL database that collects the data points

Type: integer

Default: 5432

Port of the PostgreSQL database that collects the data points.

Type: string

Default: system_monitor

Username of the PostgreSQL database

Type: string

Default: system_monitor_password

EMQX user password in the PostgreSQL database

Type: string

Default: postgres

PostgreSQL database name

This part of the configuration is responsible for collecting BEAM VM events, such as long garbage collection, traffic congestion in the inter-broker communication, etc.


Type: duration

Default: 30s

The time interval for the periodic process limit check.


Type: percent

Default: 80%

The threshold, as percentage of processes, for how many processes can simultaneously exist at the local node before the corresponding alarm is raised.


Type: percent

Default: 60%

The threshold, as percentage of processes, for how many processes can simultaneously exist at the local node before the corresponding alarm is cleared.


Type: disabled | duration

Default: disabled

When an Erlang process spends long time to perform garbage collection, a warning level long_gc log is emitted, and an MQTT message is published to the system topic $SYS/sysmon/long_gc.


Type: disabled | duration

Default: 240ms

When the Erlang VM detect a task scheduled for too long, a warning level 'long_schedule' log is emitted, and an MQTT message is published to the system topic $SYS/sysmon/long_schedule.


Type: disabled | bytesize

Default: 32MB

When an Erlang process consumed a large amount of memory for its heap space, the system will write a warning level large_heap log, and an MQTT message is published to the system topic $SYS/sysmon/large_heap.


Type: boolean

Default: true

When the RPC connection used to communicate with other nodes in the cluster is overloaded, there will be a busy_dist_port warning log, and an MQTT message is published to system topic $SYS/sysmon/busy_dist_port.


Type: boolean

Default: true

When a port (e.g. TCP socket) is overloaded, there will be a busy_port warning log, and an MQTT message is published to the system topic $SYS/sysmon/busy_port.

Rate Limit

EMQX rate limiting provides six rate limiters, bytes_in, message_in, connection, message_routing, internal, client, and three different levels of rate limiting functions, node, listener, and connection.

For an introduction to rate limiting and its use, please refer to rate limiting.

Rate limiter

Settings for the rate limiter.


Type: limiter:node_opts

Default: {}

The bytes_in limiter. This is used to limit the inbound bytes rate for this EMQX node. Once the limit is reached, the restricted client will be slow down even be hung for a while.


Type: limiter:node_opts

Default: {}

The message in limiter. This is used to limit the inbound message numbers for this EMQX node Once the limit is reached, the restricted client will be slow down even be hung for a while.


Type: limiter:node_opts

Default: {}

The connection limiter. This is used to limit the connection rate for this EMQX node. Once the limit is reached, new connections will be refused


Type: limiter:node_opts

Default: {}

The message routing limiter. This is used to limit the forwarding rate for this EMQX node. Once the limit is reached, new publish will be refused


Type: limiter:node_opts

Default: {}

Limiter for EMQX internal app.


Type: limiter:client_fields

Default: {"bytes_in":{},"connection":{},"internal":{},"message_in":{},"message_routing":{}}

The rate limit for each user of the bucket

Rate limiter available configurations

The configuration items available under each rate limiter.

limiter.message_in {
  rate  =  infinity
  burst  =  0

Node-level rate limiting

Note: Only listeners with rate limits configured are affected by node-level settings

Settings for the limiter of the node level.


Type: rate

Default: infinity

Rate for this bucket.


Type: burst_rate

Default: 0

The burst, This value is based on rate.
This value + rate = the maximum limit that can be achieved when limiter burst.

Listener-level rate limiting

Config rate limiter in listener:


Type: limiter:bucket_infinity

The bytes_in limiter. This is used to limit the inbound bytes rate for this EMQX node. Once the limit is reached, the restricted client will be slow down even be hung for a while.


Type: limiter:bucket_infinity

The message in limiter. This is used to limit the inbound message numbers for this EMQX node Once the limit is reached, the restricted client will be slow down even be hung for a while.


Type: limiter:bucket_limit

The connection limiter. This is used to limit the connection rate for this EMQX node. Once the limit is reached, new connections will be refused


Type: limiter:bucket_infinity

The message routing limiter. This is used to limit the forwarding rate for this EMQX node. Once the limit is reached, new publish will be refused


Type: limiter:listener_client_fields

The rate limit for each user of the bucket

Connection-level rate limiting

Limit per connection for nodes

Settings for the client in bucket level.


Type: rate

Default: infinity

Rate for this bucket.


Type: initial

Default: 0

The initial number of tokens for this bucket.


Type: initial

Default: 0

If the remaining tokens are lower than this value, the check/consume will succeed, but it will be forced to wait for a short period of time.


Type: capacity

Default: infinity

The capacity of per user.


Type: boolean

Default: false

Is it possible to split the number of requested tokens?


Type: duration

Default: 10s

The maximum retry time when acquire failed.


Type: failure_strategy

Default: force

The strategy when all the retries failed.

Limit per connection for listener

Fields of the client level of the listener.


Type: limiter:client_opts

The bytes_in limiter. This is used to limit the inbound bytes rate for this EMQX node. Once the limit is reached, the restricted client will be slow down even be hung for a while.


Type: limiter:client_opts

The message in limiter. This is used to limit the inbound message numbers for this EMQX node Once the limit is reached, the restricted client will be slow down even be hung for a while.


Type: limiter:client_opts

The connection limiter. This is used to limit the connection rate for this EMQX node. Once the limit is reached, new connections will be refused


Type: limiter:client_opts

The message routing limiter. This is used to limit the forwarding rate for this EMQX node. Once the limit is reached, new publish will be refused

Retained message delivery rate limit

Internal limiter.


Type: rate

Default: infinity

Rate for this bucket.


Type: capacity

Default: infinity

The capacity of this token bucket.


Type: initial

Default: 0

The initial number of tokens for this bucket.


Type: limiter:client_opts

The rate limit for each user of the bucket

Overload Protection

Overload protection mechanism monitors the load of the system and temporarily disables some features (such as accepting new connections) when the load is high.


Type: boolean

Default: false

React on system overload or not.


Type: integer

Default: 1

Optional: 0-inf

The maximum duration of delay for background task execution during high load conditions.


Type: boolean

Default: false

When at high load, skip forceful GC.


Type: boolean

Default: true

When at high load, skip process hibernation.


Type: boolean

Default: true

When at high load, close new incoming connections.

Performance optimization


Broker performance tuning parameters.


Type: enum

Default: key

Optional: key | tab | global

Performance tuning for subscribing/unsubscribing a wildcard topic. Change this parameter only when there are many wildcard topics.

NOTE: when changing from/to global lock, it requires all nodes in the cluster to be stopped before the change.

  • key: mnesia transactional updates with per-key locks. Recommended for a single-node setup.
  • tab: mnesia transactional updates with table lock. Recommended for a cluster setup.
  • global: updates are protected with a global lock. Recommended for large clusters.


Type: boolean

Default: true

Enable trie path compaction. Enabling it significantly improves wildcard topic subscribe rate, if wildcard topics have unique prefixes like: 'sensor//+/', where ID is unique per subscriber. Topic match performance (when publishing) may degrade if messages are mostly published to topics with large number of levels.

NOTE: This is a cluster-wide configuration. It requires all nodes to be stopped before changing it.


Force garbage collection in MQTT connection process after they process certain number of messages or bytes of data.


Type: boolean

Default: true

Enable forced garbage collection.


Type: integer

Default: 16000

Optional: 0-inf

GC the process after this many received messages.


Type: bytesize

Default: 16MB

GC the process after specified number of bytes have passed through.


When the process message queue length, or the memory bytes reaches a certain value, the process is forced to close.

Note: "message queue" here refers to the "message mailbox" of the Erlang process, not the mqueue of QoS 1 and QoS 2.


Type: boolean

Default: true

Enable force_shutdown feature.


Type: integer

Default: 1000

Optional: 0-inf

Maximum message queue length.


Type: wordsize

Default: 32MB

Total heap size


Settings for conn_congestion alarm.

Sometimes the MQTT connection (usually an MQTT subscriber) may get "congested", because there are too many packets to be sent. The socket tries to buffer the packets until the buffer is full. If more packets arrive after that, the packets will be "pending" in the queue, and we consider the connection congested.

Note: sndbuf can be set to larger value if the alarm is triggered too often. The name of the alarm is of format conn_congestion/<ClientID>/<Username>, where the <ClientID> is the client ID of the congested MQTT connection, and <Username> is the username or unknown_user.


Type: boolean

Default: true

Enable or disable connection congestion alarm.


Type: duration

Default: 1m

Minimal time before clearing the alarm.
The alarm is cleared only when there's no pending data in
the queue, and at least min_alarm_sustain_durationmilliseconds passed since the last time we considered the connection 'congested'.
This is to avoid clearing and raising the alarm again too often.


This config controls the allowed maximum number of CONNECT packets received from the same clientid in a time frame defined by window_time. After the limit is reached, successive CONNECT requests are forbidden (banned) until the end of the time period defined by ban_time.


Type: boolean

Default: false

Enable flapping connection detection feature.


Type: integer

Default: 15

The maximum number of disconnects allowed for a MQTT Client in window_time


Type: duration

Default: 1m

The time window for flapping detection.


Type: duration

Default: 5m

How long the flapping clientid will be banned.


Enable/disable statistic data collection. Statistic data such as message receive/send count/rate etc. It provides insights of system performance and helps to diagnose issues. You can find statistic data from the dashboard, or from the '/stats' API.


Type: boolean

Default: true

Enable/disable statistic data collection.

Persistent session

Settings for message persistence.


Type: boolean

Default: false

Use the database to store information about persistent sessions. This makes it possible to migrate a client connection to another cluster node if a node is stopped.


Type: boolean

Default: true

Save information about the persistent sessions on disc. If this option is enabled, persistent sessions will survive full restart of the cluster. Otherwise, all the data will be stored in RAM, and it will be lost when all the nodes in the cluster are stopped.


Type: boolean

Default: false

Maintain a copy of the data in RAM for faster access.


Type: broker:persistent_session_builtin

Default: {"messages":{"ram_cache":"false"},"session":{"ram_cache":"true"},"session_messages":{"ram_cache":"true"},"type":"builtin"}

Database management system used to store information about persistent sessions and messages.

  • builtin: Use the embedded database (mria)


Type: duration

Default: 1h

The time messages that was not delivered to a persistent session is stored before being garbage collected if the node the previous session was handled on restarts of is stopped.


Type: duration

Default: 1h

The starting interval for garbage collection of undelivered messages to a persistent session. This affects how often the "max_retain_undelivered" is checked for removal.


Type: duration

Default: 1m

The starting interval for garbage collection of transient data for persistent session messages. This does not affect the lifetime length of persistent session messages.

Settings for the built-in storage engine of persistent messages.


Type: enum

Default: builtin

Optional: builtin


Type: broker:persistent_table_mria_opts

Performance tuning options for built-in session table.


Type: broker:persistent_table_mria_opts

Performance tuning options for built-in session messages table.


Type: broker:persistent_table_mria_opts

Performance tuning options for built-in messages table.

Tuning options for the mria table.


Type: boolean

Default: true

Maintain a copy of the data in RAM for faster access.


Configuration for EMQX dashboard.


Type: dashboard:listeners

HTTP(s) listeners are identified by their protocol type and are used to serve dashboard UI and restful HTTP API. Listeners must have a unique combination of port number and IP address. For example, an HTTP listener can listen on all configured IP addresses on a given port for a machine by specifying the IP address Alternatively, the HTTP listener can specify a unique IP address for each listener, but use the same port.


Type: string

Default: admin

The default username of the automatically created dashboard user.


Type: string

Default: public

The initial default password for dashboard 'admin' user. For safety, it should be changed as soon as possible. This value is not valid when you log in to Dashboard for the first time via the web and change to a complex password as prompted.


Type: duration_s

Default: 10s

How often to update metrics displayed in the dashboard. Note: sample_interval should be a divisor of 60, default is 10s.


Type: duration

Default: 60m

JWT token expiration time. Default is 60 minutes


Type: boolean

Default: false

Support Cross-Origin Resource Sharing (CORS). Allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.


Type: enum

Default: en

Optional: en | zh

Internationalization language support.


Type: string

Default: ""

Deprecated, use api_key.bootstrap_file.

Configuration for the dashboard listener (plaintext).


Type: boolean

Default: true

Ignore or enable this listener


Type: non_neg_integer | ip_port

Default: 18083

Port without IP(18083) or port with specified IP(


Type: integer

Default: 2

Socket acceptor pool size for TCP protocols. Default is the number of schedulers online


Type: integer

Default: 512

Maximum number of simultaneous connections.


Type: integer

Default: 1024

Defines the maximum length that the queue of pending connections can grow to.


Type: duration

Default: 10s

Send timeout for the socket.


Type: boolean

Default: false

Enable IPv6 support, default is false, which means IPv4 only.


Type: boolean

Default: false

Disable IPv4-to-IPv6 mapping for the listener. The configuration is only valid when the inet6 is true.


Type: boolean

Default: false

Enable support for HAProxy header. Be aware once enabled regular HTTP requests can't be handled anymore.

Configuration for the dashboard listener (TLS).


Type: boolean

Default: false

Ignore or enable this listener


Type: non_neg_integer | ip_port

Default: 18084

Port without IP(18083) or port with specified IP(


Type: integer

Default: 2

Socket acceptor pool size for TCP protocols. Default is the number of schedulers online


Type: integer

Default: 512

Maximum number of simultaneous connections.


Type: integer

Default: 1024

Defines the maximum length that the queue of pending connections can grow to.


Type: duration

Default: 10s

Send timeout for the socket.


Type: boolean

Default: false

Enable IPv6 support, default is false, which means IPv4 only.


Type: boolean

Default: false

Disable IPv4-to-IPv6 mapping for the listener. The configuration is only valid when the inet6 is true.


Type: boolean

Default: false

Enable support for HAProxy header. Be aware once enabled regular HTTP requests can't be handled anymore.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["tlsv1.3","tlsv1.2","tlsv1.1","tlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: string

Default: emqx_tls_psk:lookup

EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: string

Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used.
NOTE: The dhfile option is not supported by TLS 1.3.


Type: boolean

Default: true

An important security setting, it forces the cipher to be set based on the server-specified order instead of the client-specified order, hence enforcing the (usually more properly configured) security ordering of the server administrator.


Type: boolean

Default: true

In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.


Type: duration

Default: 15s

Maximum time duration allowed for the handshake to complete

Configuration for the dashboard listener.


Type: dashboard:http

TCP listeners


Type: dashboard:https

SSL listeners

API Keys

API Key, can be used to request API other than the management API key and the Dashboard user management API


Type: string

Default: ""

Bootstrap file is used to add an api_key when emqx is launched, the format is: 7e729ae70d23144b:2QILI9AcQ9BYlVqLDHQNWN2saIjBV4egr1CZneTNKr9CpK ec3907f865805db0:Ee3taYltUKtoBVD9C3XjQl9C6NXheip8Z9B69BpUv5JxVHL


Password-based - Built-in database

Configuration of authenticator using built-in database as data source.


Type: password_based

Authentication mechanism.


Type: built_in_database

Backend type.


Type: enum

Default: username

Optional: clientid | username

Specify whether to use clientid or username for authentication.


Type: authn-hash:bcrypt_rw | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash creation and verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.

Password-based - MySQL

Configuration of authenticator using MySQL as authentication data source.


Type: password_based

Authentication mechanism.


Type: mysql

Backend type.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: string

SQL used to query data for authentication, such as password hash.


Type: duration_ms

Default: 5s

Timeout for the SQL query.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MySQL default port 3306 is used if [:Port] is not specified.


Type: string

Database name.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

Default: root

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Password-based - PostgreSQL

Configuration of authenticator using PostgreSQL as authentication data source.


Type: password_based

Authentication mechanism.


Type: postgresql

Backend type.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: string

SQL used to query data for authentication, such as password hash.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The PostgreSQL default port 5432 is used if [:Port] is not specified.


Type: string

Database name.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Password-based - Redis

Redis standalone

Configuration of authenticator using Redis (Standalone) as authentication data source.


Type: password_based

Authentication mechanism.


Type: redis

Backend type.


Type: string

The Redis Command used to query data for authentication such as password hash, currently only supports HGET and HMGET.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The Redis default port 6379 is used if [:Port] is not specified.


Type: single

Default: single

Single mode. Must be set to 'single' when Redis server is running in single mode.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's password in the external database.


Type: integer

Default: 0

Redis database ID.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Redis cluster

Configuration of authenticator using Redis (Cluster) as authentication data source.


Type: password_based

Authentication mechanism.


Type: redis

Backend type.


Type: string

The Redis Command used to query data for authentication such as password hash, currently only supports HGET and HMGET.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The Redis default port 6379 is used if [:Port] is not specified.


Type: cluster

Default: cluster

Cluster mode. Must be set to 'cluster' when Redis server is running in clustered mode.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's password in the external database.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Redis sentinel

Configuration of authenticator using Redis (Sentinel) as authentication data source.


Type: password_based

Authentication mechanism.


Type: redis

Backend type.


Type: string

The Redis Command used to query data for authentication such as password hash, currently only supports HGET and HMGET.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The Redis default port 6379 is used if [:Port] is not specified.


Type: sentinel

Default: sentinel

Sentinel mode. Must be set to 'sentinel' when Redis server is running in sentinel mode.


Type: string

The cluster name in Redis sentinel mode.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's password in the external database.


Type: integer

Default: 0

Redis database ID.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Password-based - MongoDB

MongoDB standalone

Configuration of authenticator using MongoDB (Standalone) as authentication data source.


Type: password_based

Authentication mechanism.


Type: mongodb

Backend type.


Type: string

Collection used to store authentication data.


Type: map

Default: {}

Conditional expression that defines the filter condition in the query. Filter supports the following placeholders:

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting


Type: string

Default: password_hash

Document field that contains password hash.


Type: string

Default: salt

Document field that contains the password salt.


Type: string

Default: is_superuser

Document field that defines if the user has superuser privileges.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: single

Default: single

Standalone instance. Must be set to 'single' when MongoDB server is running in standalone mode.


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MongoDB default port 27017 is used if [:Port] is not specified.


Type: enum

Default: unsafe

Optional: unsafe | safe

Write mode.


Type: boolean

Default: false

Use DNS SRV record.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: string

Database name associated with the user's credentials.


Type: string

Database name.


Type: topology


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

MongoDB replica set

Configuration of authenticator using MongoDB (Replica Set) as authentication data source.


Type: password_based

Authentication mechanism.


Type: mongodb

Backend type.


Type: string

Collection used to store authentication data.


Type: map

Default: {}

Conditional expression that defines the filter condition in the query. Filter supports the following placeholders:

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting


Type: string

Default: password_hash

Document field that contains password hash.


Type: string

Default: salt

Document field that contains the password salt.


Type: string

Default: is_superuser

Document field that defines if the user has superuser privileges.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: rs

Default: rs

Replica set. Must be set to 'rs' when MongoDB server is running in 'replica set' mode.


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The MongoDB default port 27017 is used if [:Port] is not specified.


Type: enum

Default: unsafe

Optional: unsafe | safe

Write mode.


Type: enum

Default: master

Optional: master | slave_ok

Read mode.


Type: string

Name of the replica set.


Type: boolean

Default: false

Use DNS SRV record.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: string

Database name associated with the user's credentials.


Type: string

Database name.


Type: topology


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

MongoDD sharded cluster

Configuration of authenticator using MongoDB (Sharded Cluster) as authentication data source.


Type: password_based

Authentication mechanism.


Type: mongodb

Backend type.


Type: string

Collection used to store authentication data.


Type: map

Default: {}

Conditional expression that defines the filter condition in the query. Filter supports the following placeholders:

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting


Type: string

Default: password_hash

Document field that contains password hash.


Type: string

Default: salt

Document field that contains the password salt.


Type: string

Default: is_superuser

Document field that defines if the user has superuser privileges.


Type: authn-hash:bcrypt | authn-hash:pbkdf2 | authn-hash:simple

Default: {"name":"sha256","salt_position":"prefix"}

Options for password hash verification.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: sharded

Default: sharded

Sharded cluster. Must be set to 'sharded' when MongoDB server is running in 'sharded' mode.


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The MongoDB default port 27017 is used if [:Port] is not specified.


Type: enum

Default: unsafe

Optional: unsafe | safe

Write mode.


Type: boolean

Default: false

Use DNS SRV record.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: string

Database name associated with the user's credentials.


Type: string

Database name.


Type: topology


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Password-based - HTTP


Configuration of authenticator using HTTP Server as authentication service (Using GET request).


Type: get

HTTP request method.


Type: map

Default: {"accept":"application/json","cache-control":"no-cache","connection":"keep-alive","keep-alive":"timeout=30, max=1000"}

List of HTTP headers (without content-type).


Type: password_based

Authentication mechanism.


Type: http

Backend type.


Type: string

URL of the HTTP server.


Type: #{term => binary()}

HTTP request body.


Type: duration_ms

Default: 5s

HTTP request timeout.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: duration_ms

Default: 15s

The timeout when connecting to the HTTP server.


Type: pos_integer

Default: 100

A positive integer. Whether to send HTTP requests continuously, when set to 1, it means that after each HTTP request is sent, you need to wait for the server to return and then continue to send the next request.


Type: non_neg_integer

Deprecated since 5.0.4.


Type: pos_integer

Default: 8

The pool size.


Type: connector-http:request

Configure HTTP request parameters.


Type: duration

Deprecated since 5.0.4.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Configuration of authenticator using HTTP Server as authentication service (Using POST request).


Type: post

HTTP request method.


Type: map

Default: {"accept":"application/json","cache-control":"no-cache","connection":"keep-alive","content-type":"application/json","keep-alive":"timeout=30, max=1000"}

List of HTTP Headers.


Type: password_based

Authentication mechanism.


Type: http

Backend type.


Type: string

URL of the HTTP server.


Type: #{term => binary()}

HTTP request body.


Type: duration_ms

Default: 5s

HTTP request timeout.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


Type: duration_ms

Default: 15s

The timeout when connecting to the HTTP server.


Type: pos_integer

Default: 100

A positive integer. Whether to send HTTP requests continuously, when set to 1, it means that after each HTTP request is sent, you need to wait for the server to return and then continue to send the next request.


Type: non_neg_integer

Deprecated since 5.0.4.


Type: pos_integer

Default: 8

The pool size.


Type: connector-http:request

Configure HTTP request parameters.


Type: duration

Deprecated since 5.0.4.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

JWT Authentication

Configuration when the JWT for authentication is issued using the HMAC algorithm.


Type: enum

Optional: false

Whether to use JWKS.


Type: enum

Optional: hmac-based

JWT signing algorithm, Supports HMAC (configured as hmac-based) and RSA, ECDSA (configured as public-key).


Type: string

The key to verify the JWT using HMAC algorithm.


Type: boolean

Default: false

Whether secret is base64 encoded.


Type: jwt

Authentication mechanism.


Type: string

Default: acl

JWT claim name to use for getting ACL rules.


Type: [term]

Default: {}

A list of custom claims to validate, which is a list of name/value pairs. Values can use the following placeholders:

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in verify_claims.


Type: enum

Default: password

Optional: username | password

Field to take JWT from.


Type: boolean

Default: true

Set to true or false to disable this auth provider.

Configuration when JWTs used for authentication need to be fetched from the JWKS endpoint.


Type: enum

Optional: true

Whether to use JWKS.


Type: string

JWKS endpoint, it's a read-only endpoint that returns the server's public key set in the JWKS format.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: integer

Default: 300

JWKS refresh interval.


Type: ssl_client_opts

Default: {"enable":false}

SSL options.


Type: jwt

Authentication mechanism.


Type: string

Default: acl

JWT claim name to use for getting ACL rules.


Type: [term]

Default: {}

A list of custom claims to validate, which is a list of name/value pairs. Values can use the following placeholders:

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in verify_claims.


Type: enum

Default: password

Optional: username | password

Field to take JWT from.


Type: boolean

Default: true

Set to true or false to disable this auth provider.

Configuration when the JWT for authentication is issued using RSA or ECDSA algorithm.


Type: enum

Optional: false

Whether to use JWKS.


Type: enum

Optional: public-key

JWT signing algorithm, Supports HMAC (configured as hmac-based) and RSA, ECDSA (configured as public-key).


Type: string

The public key used to verify the JWT.


Type: jwt

Authentication mechanism.


Type: string

Default: acl

JWT claim name to use for getting ACL rules.


Type: [term]

Default: {}

A list of custom claims to validate, which is a list of name/value pairs. Values can use the following placeholders:

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting Authentication will verify that the value of claims in the JWT (taken from the Password field) matches what is required in verify_claims.


Type: enum

Default: password

Optional: username | password

Field to take JWT from.


Type: boolean

Default: true

Set to true or false to disable this auth provider.

Enhanced Authentication

Settings for Salted Challenge Response Authentication Mechanism (SCRAM) authentication.


Type: scram

Authentication mechanism.


Type: built_in_database

Backend type.


Type: enum

Default: sha256

Optional: sha256 | sha512

Hashing algorithm.


Type: non_neg_integer

Default: 4096

Iteration count.


Type: boolean

Default: true

Set to true or false to disable this auth provider.


PSK stands for 'Pre-Shared Keys'. This config to enable TLS-PSK authentication.

Important! Make sure the SSL listener with only tlsv1.2 enabled, and also PSK cipher suites configured, such as RSA-PSK-AES256-GCM-SHA384.

See listener SSL options config for more details.

The IDs and secrets can be provided from a file which is configurable by the init_file field.


Type: boolean

Default: false

Whether to enable TLS PSK support


Type: string

If init_file is specified, EMQX will import PSKs from the file into the built-in database at startup for use by the runtime. The file has to be structured line-by-line, each line must be in the format of PSKIdentity:SharedSecret. For example: mydevice1:c2VjcmV0


Type: string

Default: :

The separator between PSKIdentity and SharedSecret in the PSK file


Type: integer

Default: 50

The size of each chunk used to import to the built-in database from PSK file

Password Hash

Settings for bcrypt password hashing algorithm.

Type: bcrypt

BCRYPT password hashing.

Settings for bcrypt password hashing algorithm (for DB backends with write capability).

Type: bcrypt

BCRYPT password hashing.


Type: integer

Default: 10

Salt rounds for BCRYPT password generation.

Settings for PBKDF2 password hashing algorithm.

Type: pbkdf2

PBKDF2 password hashing.


Type: enum

Optional: md4 | md5 | ripemd160 | sha | sha224 | sha256 | sha384 | sha512

Specifies mac_fun for PBKDF2 hashing algorithm.


Type: integer

Iteration count for PBKDF2 hashing algorithm.


Type: integer

Derived length for PBKDF2 hashing algorithm. If not specified, calculated automatically based on mac_fun.

Settings for simple algorithms.

Type: enum

Optional: plain | md5 | sha | sha256 | sha512

Simple password hashing algorithm.


Type: enum

Default: prefix

Optional: disable | prefix | suffix

Salt position for PLAIN, MD5, SHA, SHA256 and SHA512 algorithms.


Default Actions and Caching

Settings that control client authorization.


Type: enum

Default: allow

Optional: allow | deny

Default access control action if the user or client matches no ACL rules, or if no such user or client is found by the configurable authorization sources such as built_in_database, an HTTP API, or a query against PostgreSQL. Find more details in 'authorization.sources' config.


Type: enum

Default: ignore

Optional: ignore | disconnect

The action when the authorization check rejects an operation.


Type: broker:authz_cache


Type: array

Default: []

Authorization data sources.
An array of authorization (ACL) data providers. It is designed as an array, not a hash-map, so the sources can be ordered to form a chain of access controls.

When authorizing a 'publish' or 'subscribe' action, the configured sources are checked in order. When checking an ACL source, in case the client (identified by username or client ID) is not found, it moves on to the next source. And it stops immediately once an 'allow' or 'deny' decision is returned.

If the client is not found in any of the sources, the default action configured in 'authorization.no_match' is applied.

NOTE: The source elements are identified by their 'type'. It is NOT allowed to configure two or more sources of the same type.

Settings for the authorization cache.


Type: boolean

Default: true

Enable or disable the authorization cache.


Type: integer

Default: 32

Optional: 1-1048576

Maximum number of cached items.


Type: duration

Default: 1m

Time to live for the cached data.

ACL File

Authorization using a static file.


Type: file

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

Path to the file which contains the ACL rules. If the file provisioned before starting EMQX node, it can be placed anywhere as long as EMQX has read access to it. That is, EMQX will treat it as read only.

In case the rule-set is created or updated from EMQX Dashboard or HTTP API, a new file will be created and placed in authz subdirectory inside EMQX's data_dir, and the old file will not be used anymore.

Built-in database

Authorization using a built-in database (mnesia).


Type: built_in_database

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Authorization using a MySQL database.


Type: mysql

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MySQL default port 3306 is used if [:Port] is not specified.


Type: string

Database name.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

Default: root

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: map

Key-value list of SQL prepared statements.


Type: string

Database query used to retrieve authorization data.


Authorization using a PostgreSQL database.


Type: postgresql

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The PostgreSQL default port 5432 is used if [:Port] is not specified.


Type: string

Database name.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: map

Key-value list of SQL prepared statements.


Type: string

Database query used to retrieve authorization data.


Authorization using a single Redis instance.


Type: redis

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The Redis default port 6379 is used if [:Port] is not specified.


Type: single

Default: single

Single mode. Must be set to 'single' when Redis server is running in single mode.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's password in the external database.


Type: integer

Default: 0

Redis database ID.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: string

Database query used to retrieve authorization data.

Authorization using a Redis cluster.


Type: redis

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The Redis default port 6379 is used if [:Port] is not specified.


Type: cluster

Default: cluster

Cluster mode. Must be set to 'cluster' when Redis server is running in clustered mode.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's password in the external database.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: string

Database query used to retrieve authorization data.

Authorization using a Redis Sentinel.


Type: redis

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The Redis default port 6379 is used if [:Port] is not specified.


Type: sentinel

Default: sentinel

Sentinel mode. Must be set to 'sentinel' when Redis server is running in sentinel mode.


Type: string

The cluster name in Redis sentinel mode.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's password in the external database.


Type: integer

Default: 0

Redis database ID.


Type: boolean

Deprecated since v5.0.15.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: string

Database query used to retrieve authorization data.


Authorization using a single MongoDB instance.


Type: mongodb

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

MongoDB collection containing the authorization data.


Type: map

Default: {}

Conditional expression that defines the filter condition in the query. Filter supports the following placeholders

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting


Type: single

Default: single

Standalone instance. Must be set to 'single' when MongoDB server is running in standalone mode.


Type: string

The IPv4 or IPv6 address or the hostname to connect to.
A host entry has the following form: Host[:Port].
The MongoDB default port 27017 is used if [:Port] is not specified.


Type: enum

Default: unsafe

Optional: unsafe | safe

Write mode.


Type: boolean

Default: false

Use DNS SRV record.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: string

Database name associated with the user's credentials.


Type: string

Database name.


Type: topology


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Authorization using a MongoDB replica set.


Type: mongodb

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

MongoDB collection containing the authorization data.


Type: map

Default: {}

Conditional expression that defines the filter condition in the query. Filter supports the following placeholders

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting


Type: rs

Default: rs

Replica set. Must be set to 'rs' when MongoDB server is running in 'replica set' mode.


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The MongoDB default port 27017 is used if [:Port] is not specified.


Type: enum

Default: unsafe

Optional: unsafe | safe

Write mode.


Type: enum

Default: master

Optional: master | slave_ok

Read mode.


Type: string

Name of the replica set.


Type: boolean

Default: false

Use DNS SRV record.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: string

Database name associated with the user's credentials.


Type: string

Database name.


Type: topology


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.

Authorization using a sharded MongoDB cluster.


Type: mongodb

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

MongoDB collection containing the authorization data.


Type: map

Default: {}

Conditional expression that defines the filter condition in the query. Filter supports the following placeholders

  • ${username}: Will be replaced at runtime with Username used by the client when connecting
  • ${clientid}: Will be replaced at runtime with Client ID used by the client when connecting


Type: sharded

Default: sharded

Sharded cluster. Must be set to 'sharded' when MongoDB server is running in 'sharded' mode.


Type: string

A Node list for Cluster to connect to. The nodes should be separated with commas, such as: Node[,Node]. For each Node should be: The IPv4 or IPv6 address or the hostname to connect to. A host entry has the following form: Host[:Port]. The MongoDB default port 27017 is used if [:Port] is not specified.


Type: enum

Default: unsafe

Optional: unsafe | safe

Write mode.


Type: boolean

Default: false

Use DNS SRV record.


Type: pos_integer

Default: 8

Size of the connection pool towards the bridge target service.


Type: string

EMQX's username in the external database.


Type: string

EMQX's password in the external database.


Type: string

Database name associated with the user's credentials.


Type: string

Database name.


Type: topology


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Authorization using an external HTTP server (via GET requests).


Type: http

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

URL of the auth server.


Type: string

Default: 30s

HTTP request timeout.


Type: map

HTTP request body.


Type: duration_ms

Default: 15s

The timeout when connecting to the HTTP server.


Type: pos_integer

Default: 100

A positive integer. Whether to send HTTP requests continuously, when set to 1, it means that after each HTTP request is sent, you need to wait for the server to return and then continue to send the next request.


Type: non_neg_integer

Deprecated since 5.0.4.


Type: pos_integer

Default: 8

The pool size.


Type: connector-http:request

Configure HTTP request parameters.


Type: duration

Deprecated since 5.0.4.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: get

HTTP method.


Type: [{binary, binary()}]

Default: {"accept":"application/json","cache-control":"no-cache","connection":"keep-alive","keep-alive":"timeout=30, max=1000"}

List of HTTP headers (without content-type).

Authorization using an external HTTP server (via POST requests).


Type: http

Backend type.


Type: boolean

Default: true

Set to true or false to disable this ACL provider


Type: string

URL of the auth server.


Type: string

Default: 30s

HTTP request timeout.


Type: map

HTTP request body.


Type: duration_ms

Default: 15s

The timeout when connecting to the HTTP server.


Type: pos_integer

Default: 100

A positive integer. Whether to send HTTP requests continuously, when set to 1, it means that after each HTTP request is sent, you need to wait for the server to return and then continue to send the next request.


Type: non_neg_integer

Deprecated since 5.0.4.


Type: pos_integer

Default: 8

The pool size.


Type: connector-http:request

Configure HTTP request parameters.


Type: duration

Deprecated since 5.0.4.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: post

HTTP method.


Type: [{binary, binary()}]

Default: {"accept":"application/json","cache-control":"no-cache","connection":"keep-alive","content-type":"application/json","keep-alive":"timeout=30, max=1000"}

List of HTTP Headers.

Events Topic

Enable or disable client lifecycle event publishing.

The following options affect MQTT clients as well as gateway clients. The types of the clients are distinguished by the topic prefix:

  • For the MQTT clients, the format is: $SYS/broker/<node>/clients/<clientid>/<event>
  • For the Gateway clients, it is $SYS/broker/<node>/gateway/<gateway-name>/clients/<clientid>/<event>


Type: boolean

Default: true

Enable to publish client connected event messages


Type: boolean

Default: true

Enable to publish client disconnected event messages.


Type: boolean

Default: false

Enable to publish event message that client subscribed a topic successfully.


Type: boolean

Default: false

Enable to publish event message that client unsubscribed a topic successfully.

Rule Engine

Configuration for the EMQX Rule Engine.


Type: boolean

Default: true

When set to 'true' (default), rule-engine will ignore messages published to $SYS topics.


Type: id

Default: {}

The rules


Type: duration_ms

Default: 10s

Default timeout for the jq rule engine function


Type: enum

Default: jq_nif

Optional: jq_nif | jq_port

The implementation module for the jq rule engine function. The two options are jq_nif and jq_port. With the jq_nif option an Erlang NIF library is used while with the jq_port option an implementation based on Erlang port programs is used. The jq_nif option (the default option) is the fastest implementation of the two but jq_port is safer as the jq programs will not execute in the same process as the Erlang VM.

Configuration for a rule.


Type: string

Default: ""

The name of the rule


Type: string

SQL query to transform the messages. Example: SELECT * FROM "test/topic" WHERE payload.x = 1


Type: array

Default: []

A list of actions of the rule. An action can be a string that refers to the channel ID of an EMQX bridge, or an object that refers to a function. There a some built-in functions like "republish" and "console", and we also support user provided functions in the format: "{module}:{function}". The actions in the list are executed sequentially. This means that if one of the action is executing slowly, all the following actions will not be executed until it returns. If one of the action crashed, all other actions come after it will still be executed, in the original order. If there's any error when running an action, there will be an error message, and the 'failure' counter of the function action or the bridge channel will increase.


Type: boolean

Default: true

Enable or disable the rule


Type: string

Default: ""

The description of the rule


Type: map

Rule metadata, do not change manually

Configuration for a built-in action.


Type: string

The user provided function. Should be in the format: '{module}:{function}'. Where {module} is the Erlang callback module and {function} is the Erlang function.

To write your own function, checkout the function console and republish in the source file: apps/emqx_rule_engine/src/emqx_rule_actions.erl as an example.


Type: map

Default: {}

The args will be passed as the 3rd argument to module:function/3, checkout the function console and republish in the source file: apps/emqx_rule_engine/src/emqx_rule_actions.erl as an example.

Rule actions

Configuration for a built-in action.


Type: console

Print the actions to the console

Configuration for a built-in action.


Type: republish

Republish the message as a new MQTT message


Type: rule_engine:republish_args

Default: {}

The arguments of the built-in 'republish' action.One can use variables in the args. The variables are selected by the rule. For example, if the rule SQL is defined as following: SELECT clientid, qos, payload FROM "t/1" Then there are 3 variables available: clientid, qos and payload. And if we've set the args to: { topic = "t/${clientid}" qos = "${qos}" payload = "msg: ${payload}" } When the rule is triggered by an MQTT message with payload = hello, qos = 1, clientid = Steve, the rule will republish a new MQTT message to topic t/Steve, payload = msg: hello, and qos = 1.


Type: string

The target topic of message to be re-published. Template with variables is allowed, see description of the 'republish_args'.


Type: qos | string

Default: ${qos}

The qos of the message to be re-published. Template with variables is allowed, see description of the 'republish_args'. Defaults to ${qos}. If variable ${qos} is not found from the selected result of the rule, 0 is used.


Type: boolean | string

Default: ${retain}

The 'retain' flag of the message to be re-published. Template with variables is allowed, see description of the 'republish_args'. Defaults to ${retain}. If variable ${retain} is not found from the selected result of the rule, false is used.


Type: string

Default: ${payload}

The payload of the message to be re-published. Template with variables is allowed, see description of the 'republish_args'. Defaults to ${payload}. If variable ${payload} is not found from the selected result of the rule, then the string "undefined" is used.


Type: string

Default: ${user_properties}

From which variable should the MQTT message's User-Property pairs be taken from. The value must be a map. You may configure it to ${pub_props.'User-Property'} or use SELECT *,pub_props.'User-Property' as user_properties to forward the original user properties to the republished message. You may also call map_put function like map_put('my-prop-name', 'my-prop-value', user_properties) as user_properties to inject user properties. NOTE: MQTT spec allows duplicated user property names, but EMQX Rule-Engine does not.

Data Bridge


The config for MQTT Bridges.


Type: boolean

Default: true

Enable or disable this bridge


Type: bridge_mqtt:creation_opts

Default: {}

Resource options.


Type: enum

Default: cluster_shareload

Optional: cluster_shareload

The mode of the MQTT Bridge.

  • cluster_shareload: create an MQTT connection on each node in the emqx cluster.
    In 'cluster_shareload' mode, the incoming load from the remote broker is shared by using shared subscription.
    Note that the 'clientid' is suffixed by the node name, this is to avoid clientid conflicts between different nodes. And we can only use shared subscription topic filters for remote.topic of ingress connections.


Type: string

The host and port of the remote MQTT broker


Type: string

Optional prefix to prepend to the clientid used by egress bridges.


Type: string

Deprecated since v5.0.16.


Type: enum

Default: v4

Optional: v3 | v4 | v5

The MQTT protocol version


Type: boolean

Default: false

If enable bridge mode. NOTE: This setting is only for MQTT protocol version older than 5.0, and the remote MQTT broker MUST support this feature. If bridge_mode is set to true, the bridge will indicate to the remote broker that it is a bridge not an ordinary client. This means that loop detection will be more effective and that retained messages will be propagated correctly.


Type: string

The username of the MQTT protocol


Type: string

The password of the MQTT protocol


Type: boolean

Default: true

Whether to start a clean session when reconnecting a remote broker for ingress bridge


Type: string

Default: 300s

MQTT Keepalive. Time interval is a string that contains a number followed by time unit:
- ms for milliseconds,

  • s for seconds,
  • m for minutes,
  • h for hours;
    or combination of whereof: 1h5m0s


Type: string

Default: 15s

Message retry interval. Delay for the MQTT bridge to retry sending the QoS1/QoS2 messages in case of ACK not received. Time interval is a string that contains a number followed by time unit:
- ms for milliseconds,

  • s for seconds,
  • m for minutes,
  • h for hours;
    or combination of whereof: 1h5m0s


Type: non_neg_integer

Default: 32

Max inflight (sent, but un-acked) messages of the MQTT protocol


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: connector-mqtt:ingress

The ingress config defines how this bridge receive messages from the remote MQTT broker, and then send them to the local broker.
Template with variables is allowed in 'remote.qos', 'local.topic', 'local.qos', 'local.retain', 'local.payload'.
NOTE: if this bridge is used as the input of a rule, and also 'local.topic' is configured, then messages got from the remote broker will be sent to both the 'local.topic' and the rule.


Type: connector-mqtt:egress

The egress config defines how this bridge forwards messages from the local broker to the remote broker.
Template with variables is allowed in 'remote.topic', 'local.qos', 'local.retain', 'local.payload'.
NOTE: if this bridge is used as the action of a rule, and also 'local.topic' is configured, then both the data got from the rule and the MQTT messages that matches 'local.topic' will be forwarded.

Creation options.


Type: non_neg_integer

Default: 16

The number of buffer workers. Only applicable for egress type bridges. For bridges only have ingress direction data flow, it can be set to 0 otherwise must be greater than 0.


Type: duration_ms

Default: 15s

Health check interval.


Type: boolean

Default: true

Whether start the resource right after created.


Type: duration_ms

Default: 5s

Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.


Type: infinity | duration_ms

Default: 60s

The auto restart interval after the resource is disconnected.


Type: enum

Default: async

Optional: sync | async

Query mode. Optional 'sync/async', default 'async'.


Type: infinity | duration_ms

Default: 15s

Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.


Type: pos_integer

Default: 100

Async query inflight window.


Type: boolean

Deprecated since v5.0.14.


Type: bytesize

Default: 100MB

Maximum number of bytes to buffer for each buffer worker.


Configuration for an HTTP bridge.


Type: boolean

Default: true

Enable or disable this bridge


Type: bridge_webhook:creation_opts

Default: {}

Resource options.


Type: duration_ms

Default: 15s

The timeout when connecting to the HTTP server.


Type: duration

Deprecated since 5.0.4.


Type: emqx_connector_http:pool_type

Default: random

The type of the pool. Can be one of random, hash.


Type: pos_integer

Default: 8

The pool size.


Type: pos_integer

Default: 100

A positive integer. Whether to send HTTP requests continuously, when set to 1, it means that after each HTTP request is sent, you need to wait for the server to return and then continue to send the next request.


Type: connector-http:request

Configure HTTP request parameters.


Type: ssl_client_opts

Default: {"enable":false}

SSL connection settings.


Type: string

The URL of the HTTP Bridge.
Template with variables is allowed in the path, but variables cannot be used in the scheme, host, or port part.
For example, http://localhost:9901/${topic} is allowed, but http://${host}:9901/message or http://localhost:${port}/message is not allowed.


Type: egress

Deprecated since 5.0.12.


Type: string

The MQTT topic filter to be forwarded to the HTTP server. All MQTT 'PUBLISH' messages with the topic matching the local_topic will be forwarded.
NOTE: if this bridge is used as the action of a rule (EMQX rule engine), and also local_topic is configured, then both the data got from the rule and the MQTT messages that match local_topic will be forwarded.


Type: enum

Default: post

Optional: post | put | get | delete

The method of the HTTP request. All the available methods are: post, put, get, delete.
Template with variables is allowed.


Type: map

Default: {"accept":"application/json","cache-control":"no-cache","connection":"keep-alive","content-type":"application/json","keep-alive":"timeout=5"}

The headers of the HTTP request.
Template with variables is allowed.


Type: string

The body of the HTTP request.
If not provided, the body will be a JSON object of all the available fields.
There, 'all the available fields' means the context of a MQTT message when this webhook is triggered by receiving a MQTT message (the local_topic is set), or the context of the event when this webhook is triggered by a rule (i.e. this webhook is used as an action of a rule).
Template with variables is allowed.


Type: non_neg_integer

Default: 2

HTTP request max retry times if failed.


Type: duration_ms

Default: 15s

HTTP request timeout.

Creation options.


Type: non_neg_integer

Default: 16

The number of buffer workers. Only applicable for egress type bridges. For bridges only have ingress direction data flow, it can be set to 0 otherwise must be greater than 0.


Type: duration_ms

Default: 15s

Health check interval.


Type: boolean

Default: true

Whether start the resource right after created.


Type: duration_ms

Default: 5s

Time interval to wait for an auto-started resource to become healthy before responding resource creation requests.


Type: infinity | duration_ms

Default: 60s

The auto restart interval after the resource is disconnected.


Type: enum

Default: async

Optional: sync | async

Query mode. Optional 'sync/async', default 'async'.


Type: infinity | duration_ms

Default: 15s

Starting from the moment when the request enters the buffer, if the request remains in the buffer for the specified time or is sent but does not receive a response or acknowledgement in time, the request is considered expired.


Type: pos_integer

Default: 100

Async query inflight window.


Type: boolean

Deprecated since v5.0.14.


Type: bytesize

Default: 100MB

Maximum number of bytes to buffer for each buffer worker.

Data Bridge Connector


Type: string

HTTP method.


Type: string

URL path.


Type: string

HTTP request body.


Type: map

List of HTTP headers.


Type: non_neg_integer

Max retry times if error on sending request.


Type: duration_ms

HTTP request timeout.

The egress config defines how this bridge forwards messages from the local broker to the remote broker.
Template with variables is allowed in 'remote.topic', 'local.qos', 'local.retain', 'local.payload'.
NOTE: if this bridge is used as the action of a rule, and also 'local.topic' is configured, then both the data got from the rule and the MQTT messages that matches 'local.topic' will be forwarded.


Type: connector-mqtt:egress_local

The configs about receiving messages from local broker.


Type: connector-mqtt:egress_remote

The configs about sending message to the remote broker.

The configs about receiving messages from local broker.


Type: string

The local topic to be forwarded to the remote broker

The configs about sending message to the remote broker.


Type: string

Forward to which topic of the remote broker.
Template with variables is allowed.


Type: qos | string

Default: 1

The QoS of the MQTT message to be sent.
Template with variables is allowed.


Type: boolean | string

Default: false

The 'retain' flag of the MQTT message to be sent.
Template with variables is allowed.


Type: string

The payload of the MQTT message to be sent.
Template with variables is allowed.

The ingress config defines how this bridge receive messages from the remote MQTT broker, and then send them to the local broker.
Template with variables is allowed in 'remote.qos', 'local.topic', 'local.qos', 'local.retain', 'local.payload'.
NOTE: if this bridge is used as the input of a rule, and also 'local.topic' is configured, then messages got from the remote broker will be sent to both the 'local.topic' and the rule.


Type: connector-mqtt:ingress_remote

The configs about subscribing to the remote broker.


Type: connector-mqtt:ingress_local

The configs about sending message to the local broker.

The configs about sending message to the local broker.


Type: string

Send messages to which topic of the local broker.
Template with variables is allowed.


Type: qos | string

Default: ${qos}

The QoS of the MQTT message to be sent.
Template with variables is allowed.


Type: boolean | string

Default: ${retain}

The 'retain' flag of the MQTT message to be sent.
Template with variables is allowed.


Type: string

The payload of the MQTT message to be sent.
Template with variables is allowed.

The configs about subscribing to the remote broker.


Type: string

Receive messages from which topic of the remote broker


Type: qos

Default: 1

The QoS level to be used when subscribing to the remote broker


EMQX Gateway configuration root.


Type: gateway:stomp

The Stomp Gateway configuration. This gateway supports v1.2/1.1/1.0


Type: gateway:mqttsn

The MQTT-SN Gateway configuration. This gateway only supports the v1.2 protocol


Type: gateway:coap

The CoAP Gateway configuration. This gateway is implemented based on RFC-7252 and


Type: gateway:lwm2m

The LwM2M Gateway configuration. This gateway only supports the v1.0.1 protocol.


Type: gateway:exproto

The Extension Protocol configuration

ClientInfo override.


Type: string

Template for overriding username.


Type: string

Template for overriding password.


Type: string

Template for overriding clientid.

MQTT topic that corresponds to a particular type of event.


Type: string

Topic Name


Type: qos

Default: 0

QoS Level


The CoAP protocol gateway provides EMQX with the access capability of the CoAP protocol. It allows publishing, subscribing, and receiving messages to EMQX in accordance with a certain defined CoAP message format.


Type: emqx_gateway_schema:duration

Default: 30s

The gateway server required minimum heartbeat interval. When connection mode is enabled, this parameter is used to set the minimum heartbeat interval for the connection to be alive


Type: boolean

Default: false

Enable or disable connection mode. Connection mode is a feature of non-standard protocols. When connection mode is enabled, it is necessary to maintain the creation, authentication and alive of connection resources


Type: enum

Default: qos

Optional: non | con | qos

The Notification Message will be delivered to the CoAP client if a new message received on an observed topic. The type of delivered coap message can be set to:

  • non: Non-confirmable;
  • con: Confirmable;
  • qos: Mapping from QoS type of received message, QoS0 -> non, QoS1,2 -> con


Type: enum

Default: coap

Optional: qos0 | qos1 | qos2 | coap

The Default QoS Level indicator for subscribe request. This option specifies the QoS level for the CoAP Client when establishing a subscription membership, if the subscribe request is not carried qos option. The indicator can be set to:

  • qos0, qos1, qos2: Fixed default QoS level
  • coap: Dynamic QoS level by the message type of subscribe request
    • qos0: If the subscribe request is non-confirmable
    • qos1: If the subscribe request is confirmable


Type: enum

Default: coap

Optional: qos0 | qos1 | qos2 | coap

The Default QoS Level indicator for publish request. This option specifies the QoS level for the CoAP Client when publishing a message to EMQX PUB/SUB system, if the publish request is not carried qos option. The indicator can be set to:

  • qos0, qos1, qos2: Fixed default QoS level
  • coap: Dynamic QoS level by the message type of publish request
    • qos0: If the publish request is non-confirmable
    • qos1: If the publish request is confirmable


Type: string

Default: ""


Type: gateway:udp_listeners

Settings for the UDP listeners.


Type: boolean

Default: true

Whether to enable this gateway


Type: boolean

Default: true

Whether to enable client process statistic


Type: emqx_gateway_schema:duration

Default: 30s

The idle time of the client connection process. It has two purposes:

  1. A newly created client process that does not receive any client requests after that time will be closed directly.
  2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.


Type: gateway:clientinfo_override

ClientInfo override.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs


Settings for EMQX extension protocol (exproto).


Type: gateway:exproto_grpc_server

Configurations for starting the ConnectionAdapter service


Type: gateway:exproto_grpc_handler

Configurations for request to ConnectionHandler service


Type: string

Default: ""


Type: gateway:tcp_udp_listeners

Settings for the listeners.


Type: boolean

Default: true

Whether to enable this gateway


Type: boolean

Default: true

Whether to enable client process statistic


Type: emqx_gateway_schema:duration

Default: 30s

The idle time of the client connection process. It has two purposes:

  1. A newly created client process that does not receive any client requests after that time will be closed directly.
  2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.


Type: gateway:clientinfo_override

ClientInfo override.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs

Settings for the exproto gRPC connection handler.


Type: string

gRPC server address.


Type: ssl_client_opts

SSL configuration for the gRPC client.

Settings for the exproto gRPC server.


Type: emqx_gateway_schema:ip_port() | integer

Listening address and port for the gRPC server.


Type: gateway:ssl_server_opts

SSL configuration for the gRPC server.


The LwM2M protocol gateway.


Type: string

The Directory for LwM2M Resource definition.


Type: emqx_gateway_schema:duration

Default: 15s

Minimum value of lifetime allowed to be set by the LwM2M client.


Type: emqx_gateway_schema:duration

Default: 86400s

Maximum value of lifetime allowed to be set by the LwM2M client.


Type: emqx_gateway_schema:duration_s

Default: 22s

The value of the time window during which the network link is considered valid by the LwM2M Gateway in QMode mode. For example, after receiving an update message from a client, any messages within this time window are sent directly to the LwM2M client, and all messages beyond this time window are temporarily stored in memory.


Type: boolean

Default: false

Automatically observe the object list of REGISTER packet.


Type: enum

Default: contains_object_list

Optional: always | contains_object_list

Policy for publishing UPDATE event message.

  • always: send update events as long as the UPDATE request is received.
  • contains_object_list: send update events only if the UPDATE request carries any Object List


Type: gateway:lwm2m_translators

Topic configuration for LwM2M's gateway publishing and subscription.


Type: string

Default: lwm2m/${endpoint_name}/


Type: gateway:udp_listeners

Settings for the UDP listeners.


Type: boolean

Default: true

Whether to enable this gateway


Type: boolean

Default: true

Whether to enable client process statistic


Type: emqx_gateway_schema:duration

Default: 30s

The idle time of the client connection process. It has two purposes:

  1. A newly created client process that does not receive any client requests after that time will be closed directly.
  2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.


Type: gateway:clientinfo_override

ClientInfo override.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs

MQTT topics that correspond to LwM2M events.


Type: gateway:translator

The topic for receiving downstream commands. For each new LwM2M client that succeeds in going online, the gateway creates a subscription relationship to receive downstream commands and send it to the LwM2M client


Type: gateway:translator

The topic for gateway to publish the acknowledge events from LwM2M client


Type: gateway:translator

The topic for gateway to publish the notify events from LwM2M client. After succeed observe a resource of LwM2M client, Gateway will send the notify events via this topic, if the client reports any resource changes


Type: gateway:translator

The topic for gateway to publish the register events from LwM2M client.


Type: gateway:translator

The topic for gateway to publish the update events from LwM2M client


The MQTT-SN (MQTT for Sensor Networks) protocol gateway.


Type: integer

Default: 1

MQTT-SN Gateway ID. When the broadcast option is enabled, the gateway will broadcast ADVERTISE message with this value


Type: boolean

Default: false

Whether to periodically broadcast ADVERTISE messages


Type: boolean

Default: true

Allows connectionless clients to publish messages with a Qos of -1. This feature is defined for very simple client implementations which do not support any other features except this one. There is no connection setup nor tear down, no registration nor subscription. The client just sends its 'PUBLISH' messages to a GW


Type: boolean

Default: false

Whether to initiate all subscribed topic name registration messages to the client after the Session has been taken over by a new channel


Type: array

Default: []

The pre-defined topic IDs and topic names. A 'pre-defined' topic ID is a topic ID whose mapping to a topic name is known in advance by both the client's application and the gateway


Type: string

Default: ""


Type: gateway:udp_listeners

Settings for the UDP listeners.


Type: boolean

Default: true

Whether to enable this gateway


Type: boolean

Default: true

Whether to enable client process statistic


Type: emqx_gateway_schema:duration

Default: 30s

The idle time of the client connection process. It has two purposes:

  1. A newly created client process that does not receive any client requests after that time will be closed directly.
  2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.


Type: gateway:clientinfo_override

ClientInfo override.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs

The pre-defined topic name corresponding to the pre-defined topic ID of N.

Note: the pre-defined topic ID of 0 is reserved.


Type: integer

Topic ID. Range: 1-65535


Type: string

Topic Name


The STOMP protocol gateway provides EMQX with the ability to access STOMP (Simple (or Streaming) Text Orientated Messaging Protocol) protocol.


Type: gateway:stomp_frame


Type: string

Default: ""


Type: gateway:tcp_listeners

Settings for the TCP listeners.


Type: boolean

Default: true

Whether to enable this gateway


Type: boolean

Default: true

Whether to enable client process statistic


Type: emqx_gateway_schema:duration

Default: 30s

The idle time of the client connection process. It has two purposes:

  1. A newly created client process that does not receive any client requests after that time will be closed directly.
  2. A running client process that does not receive any client requests after this time will go into hibernation to save resources.


Type: gateway:clientinfo_override

ClientInfo override.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs

Size limits for the STOMP frames.


Type: non_neg_integer

Default: 10

The maximum number of Header


Type: non_neg_integer

Default: 1024

The maximum string length of the Header Value


Type: integer

Default: 65536

Maximum number of bytes of Body allowed per Stomp packet

Gateway available listener

Settings for the TCP listener.


Type: integer

Default: 16

Size of the acceptor pool.


Type: broker:tcp_opts

Setting the TCP socket options.


Type: boolean

Default: false

Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx. See:


Type: emqx_gateway_schema:duration

Default: 15s

Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.


Type: boolean

Default: true

Enable the listener.


Type: emqx_gateway_schema:ip_port() | integer

The IP address and port that the listener will bind.


Type: integer

Default: 1024

Maximum number of concurrent connections.


Type: integer

Default: 1000

Maximum connections per second.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs


Type: boolean

Default: true

Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.


Type: string

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t. Set to "" to disable the feature. Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: array

Default: []

The access control rules for this listener. See:

Settings for the TCP listeners.


Type: name


Type: name

Settings for the listeners.


Type: name


Type: name


Type: name


Type: name

Settings for the DTLS listener.


Type: integer

Default: 16

Size of the acceptor pool.


Type: gateway:udp_opts


Type: boolean

Default: true

Enable the listener.


Type: emqx_gateway_schema:ip_port() | integer

The IP address and port that the listener will bind.


Type: integer

Default: 1024

Maximum number of concurrent connections.


Type: integer

Default: 1000

Maximum connections per second.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs


Type: boolean

Default: true

Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.


Type: string

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t. Set to "" to disable the feature. Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: array

Default: []

The access control rules for this listener. See:


Type: gateway:dtls_opts

DTLS socket options

Settings for the DTLS protocol.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["dtlsv1.2","dtlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: string

Default: emqx_tls_psk:lookup

EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: string

Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used.
NOTE: The dhfile option is not supported by TLS 1.3.


Type: boolean

Default: false

Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).


Type: boolean

Default: true

An important security setting, it forces the cipher to be set based on the server-specified order instead of the client-specified order, hence enforcing the (usually more properly configured) security ordering of the server administrator.


Type: boolean

Default: true

In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.


Type: duration

Default: 15s

Maximum time duration allowed for the handshake to complete


Type: boolean

Default: false

Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.

Settings for the UDP listener.


Type: gateway:udp_opts


Type: boolean

Default: true

Enable the listener.


Type: emqx_gateway_schema:ip_port() | integer

The IP address and port that the listener will bind.


Type: integer

Default: 1024

Maximum number of concurrent connections.


Type: integer

Default: 1000

Maximum connections per second.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs


Type: boolean

Default: true

Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.


Type: string

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t. Set to "" to disable the feature. Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: array

Default: []

The access control rules for this listener. See:

Settings for the UDP listeners.


Type: name


Type: name

Settings for the UDP sockets.


Type: integer

Default: 100

Specify the {active, N} option for the socket. See:


Type: emqx_gateway_schema:bytesize

Size of the kernel-space receive buffer for the socket.


Type: emqx_gateway_schema:bytesize

Size of the kernel-space send buffer for the socket.


Type: emqx_gateway_schema:bytesize

Size of the user-space buffer for the socket.


Type: boolean

Default: true

Allow local reuse of port numbers.

Settings for the SSL listener.


Type: integer

Default: 16

Size of the acceptor pool.


Type: broker:tcp_opts

Setting the TCP socket options.


Type: boolean

Default: false

Enable the Proxy Protocol V1/2 if the EMQX cluster is deployed behind HAProxy or Nginx. See:


Type: emqx_gateway_schema:duration

Default: 15s

Timeout for proxy protocol. EMQX will close the TCP connection if proxy protocol packet is not received within the timeout.


Type: boolean

Default: true

Enable the listener.


Type: emqx_gateway_schema:ip_port() | integer

The IP address and port that the listener will bind.


Type: integer

Default: 1024

Maximum number of concurrent connections.


Type: integer

Default: 1000

Maximum connections per second.


Type: authn-builtin_db:authentication | authn-mysql:authentication | authn-postgresql:authentication | authn-mongodb:standalone | authn-mongodb:replica-set | authn-mongodb:sharded-cluster | authn-redis:standalone | authn-redis:cluster | authn-redis:sentinel | authn-http:get | authn-http:post | authn-jwt:hmac-based | authn-jwt:public-key | authn-jwt:jwks | authn-scram-builtin_db:authentication

Default authentication configs for all the gateway listeners. For per-listener overrides see authentication in listener configs


Type: boolean

Default: true

Set true (default) to enable client authentication on this listener. When set to false clients will be allowed to connect without authentication.


Type: string

When publishing or subscribing, prefix all topics with a mountpoint string. The prefixed string will be removed from the topic name when the message is delivered to the subscriber. The mountpoint is a way that users can use to implement isolation of message routing between different listeners. For example if a client A subscribes to t with listeners.tcp.\<name>.mountpoint set to some_tenant, then the client actually subscribes to the topic some_tenant/t. Similarly, if another client B (connected to the same listener as the client A) sends a message to topic t, the message is routed to all the clients subscribed some_tenant/t, so client A will receive the message, with topic name t. Set to "" to disable the feature. Variables in mountpoint string:

  • ${clientid}: clientid
  • ${username}: username


Type: array

Default: []

The access control rules for this listener. See:


Type: listener_ssl_opts

SSL Socket options.

SSL configuration for the server.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["tlsv1.3","tlsv1.2","tlsv1.1","tlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: string

Default: emqx_tls_psk:lookup

EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: string

Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used.
NOTE: The dhfile option is not supported by TLS 1.3.


Type: boolean

Default: false

Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).


Type: boolean

Default: true

An important security setting, it forces the cipher to be set based on the server-specified order instead of the client-specified order, hence enforcing the (usually more properly configured) security ordering of the server administrator.


Type: boolean

Default: true

In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.


Type: duration

Default: 15s

Maximum time duration allowed for the handshake to complete


Manage EMQX plugins.
Plugins can be pre-built as a part of EMQX package, or installed as a standalone package in a location specified by install_dir config key
The standalone-installed plugins are referred to as 'external' plugins.


Type: array

Default: []

An array of plugins in the desired states.
The plugins are started in the defined order


Type: string

Default: plugins

The installation directory for the external plugins. The plugin beam files and configuration files should reside in the subdirectory named as emqx_foo_bar-0.1.0.
NOTE: For security reasons, this directory should NOT be writable by anyone except emqx (or any user which runs EMQX).


Type: duration

Default: 5s

Check interval: check if the status of the plugins in the cluster is consistent,
if the results of 3 consecutive checks are not consistent, then alarm.

A per-plugin config to describe the desired state of the plugin.


Type: string

The {name}-{version} of the plugin.
It should match the plugin application name-version as the for the plugin release package name
For example: my_plugin-0.1.0.


Type: boolean

Set to 'true' to enable this plugin


External hook (exhook) configuration.


Type: array

Default: []

List of exhook servers

gRPC server configuration.


Type: string

Name of the exhook server


Type: boolean

Default: true

Enable this Exhook server


Type: string

URL of the gRPC server


Type: duration

Default: 5s

The timeout of request gRPC server


Type: enum

Default: deny

Optional: deny | ignore

The value that is returned when the request to the gRPC server fails for any reason


Type: exhook:ssl_conf


Type: exhook:socket_options

Default: {"keepalive":true,"nodelay":true}


Type: false | duration

Default: 60s

Whether to automatically reconnect (initialize) the gRPC server. When gRPC is not available, Exhook tries to request the gRPC service at that interval and reinitialize the list of mounted hooks.


Type: pos_integer

Default: 8

The process pool size for gRPC client

Connection socket options


Type: boolean

Default: true

Enables/disables periodic transmission on a connected socket when no other data is exchanged. If the other end does not respond, the connection is considered broken and an error message is sent to the controlling process.


Type: boolean

Default: true

If true, option TCP_NODELAY is turned on for the socket, which means that also small amounts of data are sent immediately


Type: bytesize

The minimum size of receive buffer to use for the socket


Type: bytesize

The minimum size of send buffer to use for the socket

SSL client configuration.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["tlsv1.3","tlsv1.2","tlsv1.1","tlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: boolean

Default: false

Enable TLS.


Type: disable | string

Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP addressed used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.


SSL/TLS configuration for clients

Socket options for SSL clients.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["tlsv1.3","tlsv1.2","tlsv1.1","tlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: string

Default: emqx_tls_psk:lookup

EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: boolean

Default: false

Enable TLS.


Type: disable | string

Specify the host name to be used in TLS Server Name Indication extension.
For instance, when connecting to "", the genuine server which accepts the connection and performs TLS handshake may differ from the host the TLS client initially connects to, e.g. when connecting to an IP address or when the host has multiple resolvable DNS records
If not specified, it will default to the host name string which is used to establish the connection, unless it is IP addressed used.
The host name is then also used in the host name verification of the peer certificate.
The special value 'disable' prevents the Server Name Indication extension from being sent and disables the hostname verification check.

SSL/TLS configuration for the listener

Socket options for SSL connections.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["tlsv1.3","tlsv1.2","tlsv1.1","tlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: string

Default: emqx_tls_psk:lookup

EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: string

Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used.
NOTE: The dhfile option is not supported by TLS 1.3.


Type: boolean

Default: false

Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).


Type: boolean

Default: true

An important security setting, it forces the cipher to be set based on the server-specified order instead of the client-specified order, hence enforcing the (usually more properly configured) security ordering of the server administrator.


Type: boolean

Default: true

In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.


Type: duration

Default: 15s

Maximum time duration allowed for the handshake to complete


Type: boolean

Default: false

Memory usage tuning. If enabled, will immediately perform a garbage collection after the TLS/SSL handshake.


TCP listener options.


Type: integer

Default: 100

Specify the {active, N} option for this Socket.


Type: pos_integer

Default: 1024

TCP backlog defines the maximum length that the queue of pending connections can grow to.


Type: duration

Default: 15s

The TCP send timeout for the connections.


Type: boolean

Default: true

Close the connection if send timeout.


Type: bytesize

The TCP receive buffer (OS kernel) for the connections.


Type: bytesize

The TCP send buffer (OS kernel) for the connections.


Type: bytesize

Default: 4KB

The size of the user-space buffer used by the driver.


Type: bytesize

Default: 1MB

The socket is set to a busy state when the amount of data queued internally by the VM socket implementation reaches this limit.


Type: boolean

Default: true

The TCP_NODELAY flag for the connections.


Type: boolean

Default: true

The SO_REUSEADDR flag for the connections.


WebSocket listener options.


Type: string

Default: /mqtt

WebSocket's MQTT protocol path. So the address of EMQX Broker's WebSocket is: ws://{ip}:{port}/mqtt


Type: enum

Default: multiple

Optional: single | multiple

Whether a WebSocket message is allowed to contain multiple MQTT packets.


Type: boolean

Default: false

If true, compress WebSocket messages using zlib.
The configuration items under deflate_opts belong to the compression-related parameter configuration.


Type: duration

Default: 7200s

Close transport-layer connections from the clients that have not sent MQTT CONNECT message within this interval.


Type: infinity | integer

Default: infinity

The maximum length of a single MQTT packet.


Type: boolean

Default: true

If true, the server will return an error when the client does not carry the Sec-WebSocket-Protocol field.
Note: WeChat applet needs to disable this verification.


Type: comma_separated_list

Default: mqtt, mqtt-v3, mqtt-v3.1.1, mqtt-v5

Comma-separated list of supported subprotocols.


Type: boolean

Default: false

If true, origin HTTP header will be validated against the list of allowed origins configured in check_origins parameter.


Type: boolean

Default: true

If false and check_origin_enable is true, the server will reject requests that don't have origin HTTP header.


Type: comma_separated_binary

Default: http://localhost:18083,

List of allowed origins.
See check_origin_enable.


Type: string

Default: x-forwarded-for

HTTP header used to pass information about the client IP address. Relevant when the EMQX cluster is deployed behind a load-balancer.


Type: string

Default: x-forwarded-port

HTTP header used to pass information about the client port. Relevant when the EMQX cluster is deployed behind a load-balancer.


Type: broker:deflate_opts


Socket options for WebSocket/SSL connections.


Type: string

Trusted PEM format CA certificates bundle file.
The certificates in this file are used to verify the TLS peer's certificates. Append new certificates to the file if new CAs are to be trusted. There is no need to restart EMQX to have the updated file loaded, because the system regularly checks if file has been updated (and reload).
NOTE: invalidating (deleting) a certificate from the file will not affect already established connections.


Type: string

PEM format certificates chain file.
The certificates in this file should be in reversed order of the certificate issue chain. That is, the host's certificate should be placed in the beginning of the file, followed by the immediate issuer certificate and so on. Although the root CA certificate is optional, it should be placed at the end of the file if it is to be added.


Type: string

PEM format private key file.


Type: enum

Default: verify_none

Optional: verify_peer | verify_none

Enable or disable peer verification.


Type: boolean

Default: true

Enable TLS session reuse.


Type: integer

Default: 10

Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. So, if depth is 0 the PEER must be signed by the trusted ROOT-CA directly;
if 1 the path can be PEER, Intermediate-CA, ROOT-CA;
if 2 the path can be PEER, Intermediate-CA1, Intermediate-CA2, ROOT-CA.


Type: string

String containing the user's password. Only used if the private key file is password-protected.


Type: array

Default: ["tlsv1.3","tlsv1.2","tlsv1.1","tlsv1"]

All TLS/DTLS versions to be supported.
NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config.
In case PSK cipher suites are intended, make sure to configure ['tlsv1.2', 'tlsv1.1'] here.


Type: array

Default: []

This config holds TLS cipher suite names separated by comma, or as an array of strings. e.g. "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256" or ["TLS_AES_256_GCM_SHA384","TLS_AES_128_GCM_SHA256"].
Ciphers (and their ordering) define the way in which the client and server encrypts information over the network connection. Selecting a good cipher suite is critical for the application's data security, confidentiality and performance.

The names should be in OpenSSL string format (not RFC format). All default values and examples provided by EMQX config documentation are all in OpenSSL format.

NOTE: Certain cipher suites are only compatible with specific TLS versions ('tlsv1.1', 'tlsv1.2' or 'tlsv1.3') incompatible cipher suites will be silently dropped. For instance, if only 'tlsv1.3' is given in the versions, configuring cipher suites for other versions will have no effect.

NOTE: PSK ciphers are suppressed by 'tlsv1.3' version config
If PSK cipher suites are intended, 'tlsv1.3' should be disabled from versions.


Type: string

Default: emqx_tls_psk:lookup

EMQX-internal callback that is used to lookup pre-shared key (PSK) identity.


Type: boolean

Default: true

SSL parameter renegotiation is a feature that allows a client and a server to renegotiate the parameters of the SSL connection on the fly. RFC 5746 defines a more secure way of doing this. By enabling secure renegotiation, you drop support for the insecure renegotiation, prone to MitM attacks.


Type: duration

Default: 5s

Hibernate the SSL process after idling for amount of time reducing its memory footprint.


Type: string

Path to a file containing PEM-encoded Diffie-Hellman parameters to be used by the server if a cipher suite using Diffie-Hellman key exchange is negotiated. If not specified, default parameters are used.
NOTE: The dhfile option is not supported by TLS 1.3.


Type: boolean

Default: false

Used together with {verify, verify_peer} by an TLS/DTLS server. If set to true, the server fails if the client does not have a certificate to send, that is, sends an empty certificate. If set to false, it fails only if the client sends an invalid certificate (an empty certificate is considered valid).


Type: boolean

Default: true

An important security setting, it forces the cipher to be set based on the server-specified order instead of the client-specified order, hence enforcing the (usually more properly configured) security ordering of the server administrator.


Type: boolean

Default: true

In protocols that support client-initiated renegotiation, the cost of resources of such an operation is higher for the server than the client. This can act as a vector for denial of service attacks. The SSL application already takes measures to counter-act such attempts, but client-initiated renegotiation can be strictly disabled by setting this option to false. The default value is true. Note that disabling renegotiation can result in long-lived connections becoming unusable due to limits on the number of messages the underlying cipher suite can encipher.


Type: duration

Default: 15s

Maximum time duration allowed for the handshake to complete


Compression options.


Type: enum

Optional: none | default | best_compression | best_speed

Compression level.


Type: integer

Default: 8

Optional: 1-9

Specifies the size of the compression state.
Lower values decrease memory usage per connection.


Type: enum

Default: default

Optional: default | filtered | huffman_only | rle

Specifies the compression strategy.


Type: enum

Default: takeover

Optional: takeover | no_takeover

Takeover means the compression state is retained between server messages.


Type: enum

Default: takeover

Optional: takeover | no_takeover

Takeover means the compression state is retained between client messages.


Type: integer

Default: 15

Optional: 8-15

Specifies the size of the compression context for the server.


Type: integer

Default: 15

Optional: 8-15

Specifies the size of the compression context for the client.