Enable authentication on the broker by setting authenticationEnabled=true and authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken (or mTLS) in broker.conf
Enable authorization with authorizationEnabled=true and authorizationProvider=org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider
Create a tenant with admin roles: `pulsar-admin tenants create <tenant> --admin-roles <role-name> --allowed-clusters <cluster-name>`
Create a namespace under the tenant: `pulsar-admin namespaces create <tenant>/<namespace>`
Grant produce or consume permissions to specific roles on the namespace: `pulsar-admin namespaces grant-permission <tenant>/<namespace> --role <role> --actions produce,consume`
Known gotchas
The superuser role defined in broker.conf bypasses all authorization checks; restrict which service accounts hold superuser status and rotate their tokens regularly
Namespace-level permission grants do NOT automatically propagate to topics created in that namespace if topic-level policies are also in use; check for topic-level permission overrides if a client unexpectedly loses access
Token-based authentication requires that broker and clients share the same secret key for HMAC tokens or the same public key for RSA-signed tokens; a key mismatch causes silent 401 errors that appear as connection failures in older client versions
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp