Job & Plugin: MQTT Topic Permissions

Audience: Integrators configuring MQTT topic permissions for job tasks or managed plugins.

This page is a consolidated reference for how the MQTT broker enforces topic permissions for integrator-authored components. For the narrative explanation of how MQTT fits into the broader integration flow, see Step 3 of the Custom Job Integration Guide and Step 2 of the Custom Plugin Integration Guide.

How Enforcement Works

Topic permissions are declared in the component's JSON file and enforced by the broker at runtime. The enforcement model has four stages:

Declaration. A job declares permitted topics in mqttTopics on the job root object. A plugin declares them in metadata.mqttTopics in the plugin JSON.

Connection. When a component connects to the broker, the broker validates the client identity against the launched-process registry and resolves which job or plugin the connection belongs to based on the client ID format.

Enforcement. Every publish and subscribe call is checked against the declared allowed lists for that component. Calls to undeclared topics are denied. The MQTT connection itself is not dropped — only the individual operation fails.

Silent denial. A denied publish or subscribe does not produce a client-visible error in most cases. If operations appear to succeed at the connection level but messages are not arriving, a missing topic declaration is the first thing to check.

Jobs

Topic permissions for job tasks are declared on the job root object — not inside the task definition:

"mqttTopics": {
  "allowedPublications": ["KeeperLogger"],
  "allowedSubscriptions": []
}

When mqttTopics is present with at least one entry, the agent injects KEEPER_JOB_ID and KEEPER_JOB_NAME as environment variables before starting the task. These are required to form the correct MQTT client ID.

If your task does not use MQTT at all, you may omit mqttTopics entirely. Doing so also means KEEPER_JOB_ID and KEEPER_JOB_NAME are not injected.

Plugins

Topic permissions for managed plugins are declared under metadata in the plugin JSON:

The primary Subscription.Topic is a separate field from metadata.mqttTopics.subscribe. Both are subscribed — declare additional topics in metadata.mqttTopics.subscribe alongside the primary subscription, not instead of it.

Side-by-Side Comparison

MQTT Client IDs

The broker uses the client ID format to associate a connection with a job or plugin and apply the correct permission set. Using the wrong format causes permission checks to fail even when the topic declarations are correct.

For job tasks:

• KEEPER_JOB_ID comes from the environment variable the agent injects

• ExecutableToken is a short, stable name for your binary — no underscores, no path characters

• ProcessId is the current OS process ID as a decimal integer

• The job id must not contain underscores — the broker splits on _ to extract the job ID segment

Example: my-scanner_SecretScanner_48292

For managed plugins:

• PluginName should align with the plugin id

• Do not use the job triple format for a plugin — the broker applies different permission logic based on client ID format

Wildcards

Prefer explicit topic strings in production. Wildcards are convenient during development but reduce what the broker can enforce. For a bounded command set, list each topic explicitly:

KeeperLogger

KeeperLogger is the well-known topic for structured log delivery. Any job task or plugin that publishes structured log messages must include it in the publish list. The payload must follow the RequestMessage JSON format — see Step 5 in the Custom Job Integration Guide for the complete format and a code example.

Do not publish to product-internal topics (policy, API, and similar) unless your administrator has explicitly extended permissions for your component.

Common Failures