listen:   127.0.0.1:-1

authorization {
  # Our role based permissions.

  # Superuser can do anything.
  super_user = {
    publish = ">"
    subscribe = ">"
  }
  # Can do requests on _INBOX.foo.bar, and subscribe to anything
  # that is a response to an _INBOX.foo.
  #
  # Notice that authorization filters can be singletons or arrays.
  req_pub_user = {
    publish = ["_INBOX.foo.bar"]
    subscribe = "_INBOX.foo.>"
  }

  # Setup a default user that can subscribe to anything, but has
  # no publish capabilities.
  default_user = {
    subscribe = {
      allow: ["PUBLIC.>", "foo.*"]
      deny: ["PUBLIC.foo"]
    }
  }

  # Default permissions if none presented. e.g. susan below.
  default_permissions: $default_user

  # Users listed with persmissions.
  users = [
    {user: alice, password: foo, permissions: $super_user}
    {user: bob,   password: bar, permissions: $req_pub_user}
    {user: susan, password: baz}
  ]
}