Magistrala On Atom

Magistrala uses Atom as its identity, credential, authorization, certificate, and audit system.

Magistrala still handles IoT application behavior: protocols, message routing, storage, alarms, reports, and UI workflows. Atom handles the security decisions behind those workflows.

Concept Mapping

Magistrala concept	Atom primitive
Domain	Tenant
User	Entity with `kind = human`
Client	Entity with `kind = device` or `service`
Channel	Resource with `kind = channel`
Rule, report, alarm	Resource with matching kind
Client key	Password credential or API key credential
Client certificate	Certificate credential
Group boundary	Object group
Role member set	Principal group or role assignment
Client-channel connection	Role assignment or direct policy

What this means: Magistrala creates domains, clients, channels, roles, and credentials in Atom. At runtime, FluxMQ asks Atom whether a client is authenticated and whether it can publish or subscribe. If Atom allows the request, the message continues to the writer and storage.

MQTT Example

When a device publishes a message:

The device connects to FluxMQ with a client ID and secret, API key, or certificate.
FluxMQ asks Atom to authenticate the identity.
FluxMQ asks Atom whether that entity can publish to the channel.
Atom evaluates current roles, direct policies, groups, and conditions.
If allowed, FluxMQ accepts the message.
The writer persists the message.

Certificate Example

When a device uses mTLS:

FluxMQ terminates TLS and reads the client certificate.
FluxMQ sends the certificate serial and fingerprint to Atom gRPC.
Atom checks the certificate credential row.
Atom rejects unknown, expired, or revoked certificates.
Atom returns the owning entity for active certificates.
FluxMQ uses that entity for the normal publish or subscribe authorization check.

Source Of Truth

The detailed product mapping lives in Building Magistrala on Atom.

Magistrala On Atom

Concept Mapping

Runtime Flow

MQTT Example

Certificate Example

Source Of Truth

On this page