User Identification in Events via MQTT
How to Cross-Reference Information to Identify the User in MQTT Messages
In many operational scenarios, identifying the user responsible for an event is essential for analysis, contextual actions, and auditing. Below, we list three possible approaches to perform this identification based on secure technical practices compatible with privacy guidelines.
1 - Identification via Advertisement-Key with Timestamp (recommended method)
How it works:
- At the time of user registration or login in the application, capture the
advertisement-keyand associate it with the user profile in your database. - When receiving an
EVENT_INon the MQTT topic, use theadvertisement-keyas a search key to map the corresponding user.
Important considerations:
The advertisement-key may be changed by the operating system under certain situations. To ensure the consistency of identification, it is recommended to:
- Update the
adv-keyevery time the user opens the application; - Implement Google’s callback that notifies when the
adv-keyis modified; - Treat the
adv-keyas a mutable identifier and perform regular update checks.
Common cases where the advertisement-key can change:
- The user manually resets the ID in the device settings;
- The app is reinstalled in anonymous mode, resulting in a new
adv-key; - Apps with privacy protection features may prevent the persistence of the
advertisement-key.
2 - Use of notification_name field (alternative method with restrictions)
How it works:
It is possible to send an additional identifier in the named field notification_name which accompanies the EVENT_IN on the MQTT topic. This field can be used, for example, to send an encrypted session-id.
Limitations and risks:
- Privacy: This approach may pose risks related to data protection laws such as LGPD, as it allows the indirect association of sensitive data.
- Security: If poorly implemented, it may expose identifiable data in transit.
Important: the
notification_namefield is not sent by default. If you wish to use it, request its activation from technical support.
3 - Identification via notification-token (method for use with Firebase)
How it works:
- The
notificationTokengenerated by Firebase Cloud Messaging (FCM) is used as an identifier for events originating from a user/device. - Capture the
notificationTokenand associate it with the user's profile in your database. - Upon receiving the
notificationTokenin the MQTT event, the client can query its FCM database to map the token to the corresponding user and validate its authenticity.
Important considerations:
- The
notificationTokenis a dynamic and secure identifier linked to the device and the application instance. - This approach is robust; however, technical integration with Firebase is required for token validation and periodic updating in the event of token revocation or device changes by the client.
Access the documentation of the methods for each operating system:
- Android: Android user identification.
- iOS: iOS user identification.
- Flutter: Flutter user identification.
- React: React user identification.