Authentication for your Mosquitto MQTT Broker

Published on: January 30, 2021

Welcome to the 21st Raspberry Pi tutorial and the second in the MQTT series. This tutorial will cover setting up authentication for your Mosquitto installation. This will help us secure our MQTT communication for when we set up an external bridge. 

Before we jump into Mosquitto and MQTT, I want to tell you about The Coder School. I don't normally promote other or take sponsors because I'm very picky about the content I have on this website. But what The Coder School does is very relevant and they do something that I love! They teach kids how to code! This is something that I wish existed when I was younger. But if you have kids today, check out their coding camps which are now available virtually as well to help with social distancing while keeping all the learning opportunities. They cover things like Game Development, Python, Java, and Pi Jam. You can guess which one is my favorite. Check them out at

Installing Mosquitto

If you haven't already installed Mosquitto, follow this tutorial:

And before I continue, I'd like to mention that every configuration item I show you below can also be found on the Mosquitto man page:

Method 1 - Creating a Password File Manually

The first method is pretty simple. You create a new password file, it doesn't matter what you call it:

    nano password_file

My file named password_file has no extension but that's okay! The contents of the file are as follows:


Replace the username with whatever username you want, and the password with whatever password you want. We'll then want to convert this file into a password file that Mosquitto recognizes:

    sudo mosquitto_passwd -U password_file

If you open up the file again, you'll see that the password was hashed. Let's now move it into place:

    sudo mv password_file /etc/mosquitto

This will move the file into the location with the configuration. Once done, move down to the configuration section below or check out method 2. 

Method 2 - Create a Password File via CLI

You can also generate your own password file using the CLI:

    sudo mosquitto_passwd -c password_file username

The -c flag lets Mosquitto konw to generate the password file. Replace password_file with the name of the file you want and username with your username. This will create a file with your username and password as specified. And then you can move that file to the proper location:

    sudo mv password_file /etc/mosquitto

Configuring mosquitto.conf

We need to add a couple of lines to our mosquitto.conf file:

    cd /etc/mosquitto 
sudo nano mosquitto.conf

We need to add just two lines to this file at the bottom. The first one turns off anonymous logins and the second one sets the password file. For more information on these options, check out the mosquitto man page I linked to above:

    allow_anonymous false
    password_file /etc/mosquitto/password_file

Be sure to edit the password_file name to whatever name you used. After this, restart mosquitto:

    sudo service mosquitto restart

Now go back to your MQTT tester  (MQTTLens if you use that) and try connecting with and without a user/password. You should only be able to connect with proper authentication. 

Be sure to come back to my next MQTT tutorial where I'll go over how to bridge two MQTT brokers (one external and one internal to our network). This will allow us to connect to an MQTT service when we're not home without ever exposing our internal network to the outside world. It will be helpful for Home Assistant as well as setting up voice commands with IFTTT Stay tuned!


I do these projects to learn and teaching is a good way to learn. But if you do want to support me, head on over to Patreon and become a Patron:

If you've implemented this project, I'd like to see it! So please share it with me through any of my regular channels. 

Remember to checkout the Resources section below for associated downloadable content, JSFiddle links, and other resources. Watch the video and follow along!


Find the code on GitHub at