This topic describes how to establish MQTT connections over TCP by direct connection.

Note When you configure MQTT CONNECT packets:
  • Do not use the same device certificate (ProductKey, DeviceName, and DeviceSecret) for multiple physical devices for connection authentication. This is because when a new device initiates authentication to IoT Platform, a device that is already connected to IoT Platform using the same device certificate will be brought offline. Later, the device which was brought offline will try to connect again, causing the newly connected device to be brought offline instead.
  • In MQTT connection mode, open-source SDKs automatically reconnect to IoT Platform after they are brought offline. You can check the actions of devices by viewing the device logs.

Direct MQTT client connection

  1. We recommend that you use the TLS protocol for encryption, because it provides better security. Click here to download the TLS root certificate.
  2. Connect devices to the server using the MQTT client. For connection methods, seeOpen-source MQTT client references. For more information about the MQTT protocol, see
    Note Alibaba Cloud does not provide technical support for third-party code.
  3. Establish an MQTT connection.
    Connection domain name ${YourProductKey}.iot-as-mqtt. ${YourRegionId}

    Replace ${YourProductKey} with your ProductKey.

    Replace ${YourRegionId} with the region ID of your device. For information about regions and zones, see Regions and zones.

    Variable header: Keep Alive The Keep Alive parameter must be included in the CONNECT packet. The allowed range of Keep Alive value is 30-1200 seconds. If the value of Keep Alive is not in this range, IoT Platform will reject the connection. We recommend that you set a value larger than 300 seconds. If the Internet connection is not stable, set a larger value.
    Parameters in an MQTT CONNECT packet
    mqttClientId: clientId+"|securemode=3,signmethod=hmacsha1,timestamp=132323232|"
    mqttUsername: deviceName+"&"+productKey
    mqttPassword: sign_hmac(deviceSecret,content)

    mqttPassword: Sort the parameters to be submitted to the server alphabetically and then encrypt the parameters based on the specified sign method.

    The content value is a string that is built by sorting and concatenating the ProductKey, DeviceName, timestamp (optional) and clientId in alphabetical order, without any delimiters.
    • clientId: The client ID is a device identifier. We recommend that you use the MAC address or the serial number of the device as the client ID. The length of the client ID must be within 64 characters.
    • timestamp: The 13-digit timestamp of the current time. This parameter is optional.
    • mqttClientId: Extended parameters are placed between vertical bars (|).
    • signmethod: The signature algorithm. Valid values: hmacmd5, hmacsha1, and hmacsha256. Default value: hmacmd5.
    • securemode: The current security mode. Value options: 2 (TLS connection) and 3 (TCP connection).


    Suppose that clientId=12345, deviceName=device, productKey=pk, timestamp=789, signmethod=hmacsha1, deviceSecret=secret. The MQTT CONNECT packet sent over TCP is as follows:

    mqttPassword=hmacsha1("secret","clientId12345deviceNamedeviceproductKeypktimestamp789").toHexString(); //The toHexString() function converts a binary string to a hexadecimal string. The string is case-insensitive.

    The encrypted password is as follows:


MQTT Keep Alive

In a keep alive interval, the device must send at least one packet, including ping requests.

If IoT Platform does not receive any packets in a keep alive interval, the device is disconnected from IoT Platform and needs to reconnect to the server.

The keep alive time must be in a range of 30 to 1200 seconds. We recommend that you set a value larger than 300 seconds.