Security built into the protocol.
NoLag enforces isolation, access control, and authentication at the infrastructure level. Your application code handles business logic, not security plumbing.
Protocol-Level Security
TLS / WSS Encryption
All connections use TLS-encrypted WebSockets (wss://). Data is encrypted in transit between every client and the broker.
Binary MessagePack
Messages are serialized as binary MessagePack not plaintext JSON. Smaller payloads, faster parsing, and no accidental data exposure in logs.
Broker-Level Enforcement
Permissions, scopes, and access rules are enforced at the MQTT broker not in your application code. No middleware to forget, no filter to misconfigure.
Multi-Tenancy via Access Scopes
Assign actors to scopes and all communication is automatically partitioned. Messages, webhooks, presence, and state are isolated per tenant at the MQTT level, no application-level filtering required.
Tip: Scope metadata flows through webhooks automatically. Your backend receives the tenant scope in every webhook payload, so you always know which tenant triggered the event.
# Without scopes, all actors share topics
app/room/orders ← all tenants
app/room/analytics ← all tenants
# With scopes, automatic namespace partitioning
tenant-a/room/orders ← tenant A only
tenant-b/room/orders ← tenant B only
tenant-a/room/analytics ← tenant A only
tenant-b/room/analytics ← tenant B only
Room-Level Access Control
Rooms are public by default. Any actor in the app can join. Attach at least one actor to a room and it becomes private: only explicitly granted actors can access it. No toggles, no config flags.
No actors = public. At least one actor = private. The access model is implicit from the actor list.
Public Room
No actors attached, open to all
Private Room
Actors attached, restricted access
Per-Topic ACL
Every topic has granular read/write permissions per actor type. Permissions are enforced at the broker, not in your middleware.
| Topic | Actor Type | Permission |
|---|---|---|
| orders | Device | Read only |
| orders | Server | Read + Write |
| analytics | User | No access |
| analytics | Server | Write only |
| notifications | Device | Read only |
| notifications | Session | Read only |
Actor Authentication
Four typed actor types with scoped tokens and API key isolation. Each actor type has distinct capabilities and auth mechanisms.
Device
Frontend clients: browsers, mobile apps, embedded devices.
- WebSocket connections
- Scoped topic access
- Presence tracking
User
Authenticated users with identity tied to your auth provider.
- JWT-based auth
- Role-based permissions
- Cross-device sessions
Server
Backend services and AI agents with API key authentication.
- API key auth
- Full topic access
- Webhook integration
Session
Temporary, anonymous connections for guests and previews.
- Time-limited tokens
- Restricted scope
- No persistent identity
Security questions?
Security is built into every layer of NoLag. Start building with confidence.