From 9c2ca9381d8450b5263b73138d2ea54b2c9f907e Mon Sep 17 00:00:00 2001
From: Ivan Kozlovic <ivan@synadia.com>
Date: Wed, 26 May 2021 10:13:28 -0600
Subject: [PATCH] Add operator mode authentication description

In operator mode, MQTT clients need to provide the JWT through the MQTT password.
---
 nats-server/configuration/mqtt/mqtt_config.md | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/nats-server/configuration/mqtt/mqtt_config.md b/nats-server/configuration/mqtt/mqtt_config.md
index 57db8e9..3818932 100644
--- a/nats-server/configuration/mqtt/mqtt_config.md
+++ b/nats-server/configuration/mqtt/mqtt_config.md
@@ -100,7 +100,15 @@ mqtt {
 }
 ```
 
-## Authorization of MQTT Users
+## Authentication/Authorization of MQTT Users
+
+### Operator mode
+
+In operator mode, all users need to provide a JWT in order to connect. For MQTT clients, it means that you need to pass the JWT token as the MQTT password and use any username since MQTT protocol requires a username to be set if a password is set.
+
+In this mode, standard NATS clients are required to sign a `nonce` sent by the server using their private key (see [JWTs and Privacy](../securing_nats/jwt#jwts-and-privacy)). Of course MQTT clients cannot do that, therefore, in order for the JWT to be accepted by the server without the need of signing the `nonce`, the JWT has to have the `Bearer` boolean set to true.
+
+### Local mode
 
 A new field when configuring users allows you to restrict which type of connections are allowed for a specific user.