Webhook authentication

[George Dimitrov]

Hello,

I'm currently implementing authentication for VerneMQ using webhooks. The goal is to use JWTs to authenticate users when they connect to the broker and to restrict publishing so that each user can only publish to their own specific topics (e.g., using user_id  found in the JWT token in the topic structure).

I’ve set up two webhook endpoints in my backend to handle the auth_on_register and auth_on_publish hooks, following the expected payload structures.

The auth_on_register hook is working correctly — my backend receives the request and successfully verifies the JWT. However, the auth_on_publish hook doesn't seem to be triggered at all. Users are able to publish messages without any authorization checks, and the backend is never called for publishing attempts.

Is auth_on_publish the correct hook for this use case? Or is there something I might be missing in the VerneMQ configuration to ensure this hook is triggered properly?

Thanks in advance for your help.

[André Fatton]

Hello George

Yes, auth_on_publish is the correct hook to use to authorize publish requests.

My guess is that you have not disabled the vmq_acl file based authorization plugin, so it grabs all your auth_on_publish requests.

Best,

André

[George Dimitrov]

Thank you! That was it.