Multi-Tenant MQTT · WebSockets · Auto HTTP Webhooks

Event Streams for IoT.
Simplified.

Onifast IOTstream is an ultra-lightweight, high-performance MQTT broker built directly into the Onifast ecosystem. Route telemetry data from smart devices using standard MQTT or secure WebSockets.

Get Onifast Panel Read Spec
mqtt sub — onifast-iotstream :1883
$ mosquitto_sub -h iot.local -p 1883 -u tenant1 -P secret -t "tenant1/sensors/temp"
 
Listening for telemetry messages...
{"client_id": "sensor_01", "timestamp": 1791883440, "temp_c": 23.45}
{"client_id": "sensor_01", "timestamp": 1791883450, "temp_c": 23.50}
 
$ curl -X POST http://localhost:4036/internal/tenant/kick -d '{"username":"tenant1"}'
{"status":"ok","kicked":2}
1883port
Standard MQTT Port
4035port
WebSocket MQTT (/ws)
4036port
Internal Mgmt API (REST)
Isolated
Multi-Tenant Namespace Enforced
SQLite
Tenant & Webhook Registry
What's included

An IoT Streaming engine

Fully-isolated namespaces, dual transport support, and seamless webhook integration for modern event-driven architectures.

Multi-Tenant Namespace Enforced
Clients can only publish/subscribe to topics starting with their own username prefix (username/topic), preventing cross-tenant access.
Standard TCP & WebSocket
Dual listener infrastructure. Connect hardware sensors directly over raw TCP, and dashboards/webapps over browser-friendly WebSockets.
HTTP Webhook Triggers
Automatically POST topic payloads to external webservers. Define topic filters to trigger REST endpoints when device updates arrive.
SQLite Metadata Storage
User profiles, connection limits, topic stats, and webhook records are stored safely in WAL-mode SQLite (onifast-iotstream.db).
Tenant Quotas
Configure connection limits per user profile. The engine kicks clients automatically when they go over their assigned limits.
Internal Management API
A loopback-only REST API exposes real-time broker statistics, tenant control actions, and dynamic webhook subscriptions.
Spec Architecture

Enforced Broker Logic

The MQTT broker enforces security and namespaces directly inside Go routines.

Topic Namespace Isolation

To guarantee multi-tenant security, the broker blocks all subscriptions and publishes outside the tenant's namespace prefix.

  • Root user has access to all topic trees.
  • Auto-validates connection credentials against the tenant store.
  • Dynamically reloads webhook caches via SIGHUP signals.
broker checks — broker.go 
// Verify publisher permissions
func (b *Broker) CanPublish(user, topic) error {
    if user != "root" && !strings.HasPrefix(topic, user+"/") {
        return fmt.Errorf("topic outside namespace")
    }
    // check if tenant enabled
    return nil
}
webhook subscription — internal api 
# Register webhook for a tenant's topics
POST /internal/webhook/add
{
  "username":     "tenant1",
  "topic_filter": "tenant1/sensors/+",
  "webhook_url":  "https://api.myweb.com/webhook"
}

# Webhook payload headers sent to URL
X-MQTT-Topic: tenant1/sensors/temp
X-MQTT-Username: tenant1
Content-Type: application/octet-stream
Webhook Gateway

Integrate telemetry with HTTP backends

Trigger external APIs asynchronously when hardware devices publish to topics.

  • Wildcard Filters: Supports standard MQTT wildcards (`+` and `#`) in webhook registers.
  • Async Processing: Webhooks run concurrently inside separate goroutines.
  • HTTP POST: Forwards the raw publish payload in binary/text formats.

The light IoT event loop.

Install Onifast Panel and run your custom IoT stream gateway today.

Get Onifast Panel Onifast.com