MQTT topics & console ACL

The cloud enforces per-device ACLs in the console. This SDK builds MQTT topics to match that layout.

Prefix

All device traffic uses:

{workspace_slug}/{device_key}/…

workspace_slug — workspace segment in the broker ACL. The provision API returns it in JSON; the SDK persists it in NVS. IOTMER_WORKSPACE_SLUG in menuconfig is an optional override, not required for normal firmware.
device_key — device secret from provisioning (not the MQTT username used for broker authentication).

Broker login still uses mqtt_username / mqtt_password from the provision response.

Publish

Topic pattern	SDK helper
`{workspace_slug}/{device_key}/telemetry`	`iotmer_telemetry_publish()`
`{workspace_slug}/{device_key}/state`	`iotmer_state_publish()`

Filter	SDK helper
`{workspace_slug}/{device_key}/cmd/#`	`iotmer_subscribe_commands()`
`{workspace_slug}/{device_key}/config/#`	`iotmer_subscribe_config()`

Wildcards (#) are required because command payloads may live under deeper path segments.

Config protocol topics

The config/# subscription is used by the MQTT Config Protocol v1:

Cloud retained hint: …/config/meta
Device pull request: …/config/get
Cloud response (single or chunked): …/config/resp
Device status/ack: …/config/status

Full payload and hashing rules: MQTT Config Protocol v1.

Incoming message routing

Callbacks receive the full topic string. The SDK routes messages by checking the path prefix (…/cmd/… vs …/config/…), not only the last path segment.

For MQTT rules, quotas, and console behaviour, see documentation → MQTT.

Prefix​

Publish​

Subscribe​

Config protocol topics​

Incoming message routing​

Prefix

Publish

Subscribe

Config protocol topics

Incoming message routing