// the find
absmach/magistrala
IoT Platform Framework
Magistrala is a production-grade IoT middleware platform in Go that handles device identity, multi-protocol messaging (MQTT/HTTP/CoAP/WebSocket), fine-grained ABAC authorization via SpiceDB, and audit trails in one system. It targets teams building commercial or industrial IoT products who need serious multi-tenancy and access control — not hobbyists wiring up sensors. At 2,600 stars it has real adoption but is still a significant operational commitment.
SpiceDB-backed authorization using the Zanzibar model gives you ABAC+RBAC that actually scales, not the usual 'add an is_admin column' approach most IoT platforms ship. Each protocol (MQTT, HTTP, CoAP, WebSocket) is a first-class transport with its own adapter — not HTTP-with-shims, with proper per-protocol semantics. Observability is baked in across services rather than bolted on: Prometheus metrics, OpenTelemetry tracing, and audit journals are standard middleware in every service. Integration tests hit a real Postgres instance (the setup_test.go pattern is consistent throughout), which means the test suite actually catches data-layer bugs.
The v0.19→v0.20 upgrade requires manual backfill scripts across SpiceDB and five separate databases, run in a specific order with role backfills — this is not a zero-downtime rolling upgrade situation, and it signals what maintenance looks like going forward. FluxMQ, the underlying message broker, is an in-house project from the same team; you're betting on an unproven broker instead of NATS or Redpanda, and there's no community to turn to if it misbehaves under load. The default Docker Compose setup spins up a separate Postgres instance for every service (re-db, reports-db, alarms-db, auth-db, domains-db) — five-plus stateful databases to operate before you've written a line of application code. There is no built-in time-series storage, which is a real gap: IoT workloads generate high-volume timestamped sensor data, and you'll need to integrate TimescaleDB or InfluxDB yourself, which somewhat undercuts the 'coherent system' pitch.