Skip to content
Stand with Ukraine flag
Star
 
Pricing Try it now

Architecture Overview

ThingsBoard Edge is a standalone ThingsBoard deployment that runs locally — on-premises or on edge hardware. It connects to a ThingsBoard server, which provisions it, pushes configuration, and receives synchronized data. Device data is processed locally whether or not the Edge is connected to the server.

All Edge services run within a single JVM process, making it suitable for resource-constrained hardware — as little as 256–512 MB of RAM is sufficient for constrained environments. A single-node deployment supports up to approximately 1,000 devices, depending on message rate and hardware capacity.

Technology stack

Section titled “Technology stack”
ComponentRoleRequired?
PostgreSQLEntities, attributes, relations, alarms, time-series, and cloud event queueAlways required
Apache KafkaMessage queue between services and cloud event queue (replaces PostgreSQL queue)Since 3.9, optional

Single-node deployments require only PostgreSQL. Kafka is added when higher queue throughput or durability is needed for cloud synchronization.

Components

Section titled “Components”
ComponentResponsibility
TransportAccepts device connections over MQTT, HTTP, CoAP, LwM2M, and SNMP; validates credentials; pushes messages to the Rule Engine
Rule EngineProcesses every device message locally using the tenant’s rule chains — filter, enrich, transform, save, or forward data
Cloud ManagerReads events from the cloud event queue and pushes them to the server over gRPC; handles reconnection and ordered delivery
Core / REST APIEntity management, WebSocket subscriptions, active device session tracking
Web UIStateless Express.js process that serves the ThingsBoard UI as static content; all data is loaded via the REST and WebSocket APIs

Data flow

Section titled “Data flow”

When a device sends data, it follows this path on Edge:

  ┌────────┐  MQTT / HTTP /  ┌───────────┐  Message  ┌─────────────┐
  │ Device │──  CoAP / LwM2M ▶│ Transport │── Queue ──▶│ Rule Engine │
  └────────┘                  └─────┬─────┘           └──────┬──────┘
                                    │                        │
                              Authenticate              Execute chains
                              (credentials              Save, alarm,
                               from cache)              push to cloud
                                                              
                              ┌───────────────────────────────┘
                              
               ┌──────────────▼──────────────────────────────┐
               │               Core service                  │
               │  ┌──────────────┐    ┌─────────────────┐    │
               │  │ Save to DB   │    │  Notify WS /    │    │
               │  │ (telemetry,  │    │  dashboards     │    │
               │  │  attributes) │    └─────────────────┘    │
               │  └──────┬───────┘                           │
               └─────────┼─────────────────────────────────  ┘
                         
               ┌──────────▼──────────┐    ┌─────────────────────────┐
               │     PostgreSQL      │    │  Cloud Event Queue      │
               │  (entities, attrs,  │    │  (PostgreSQL or Kafka)  │
               │   time-series)      │    │  → pushed to server     │
               └─────────────────────┘    └─────────────────────────┘
  1. Connect: The device opens a connection to the Transport layer.
  2. Authenticate: Transport validates device credentials. Credentials are cached to avoid a database query on every message.
  3. Push to Rule Engine: Transport converts the payload into a unified message and forwards it via the message queue.
  4. Execute rule chains: The Rule Engine processes the message through the tenant’s rule chains — filtering, enriching, transforming, and triggering actions.
  5. Save: Action nodes write telemetry and attributes to the local database.
  6. Synchronize: Messages that reach the push to cloud node are stored as Cloud Events and forwarded to the server asynchronously.

Server connection

Section titled “Server connection”

Edge communicates with the ThingsBoard server over gRPC, with messages serialized using Protocol Buffers. The connection is persistent and bidirectional:

DirectionWhat flows
Edge → ServerTelemetry, attributes, alarms, events (via cloud event queue)
Server → EdgeEntity assignments, configuration changes, rule chain updates, downlinks

If the connection is lost, Cloud Events continue to accumulate in the local queue. The Cloud Manager delivers all queued events to the server in order once the connection is restored. For details, see Telemetry synchronization.

Deployment modes

Section titled “Deployment modes”

Edge runs as a single-process deployment (equivalent to ThingsBoard monolithic mode). Clustering is supported starting with Edge 4.0, using the same Kafka-based queue and service discovery approach as the ThingsBoard server.

ModeWhen to use
Single nodeMost edge deployments — one device, one rack, one site
Cluster (4.0+)High-availability requirements at the edge, or when a single node cannot handle the device load

Authentication

Section titled “Authentication”

Device authentication on Edge follows the same mechanism as on the ThingsBoard server. Supported credential types:

Credential typeProtocolHow it works
Access TokenMQTT, HTTP, CoAPToken sent as MQTT username or HTTP/CoAP query parameter
MQTT BasicMQTTClient ID, username, and password combination
X.509 CertificateMQTT (TLS)Device presents a client certificate during TLS handshake

Credentials are cached after the first lookup — subsequent messages from the same device are validated from cache without a database query.

User authentication uses JWT tokens for REST API and WebSocket connections, identical to the server.

© 2026 The ThingsBoard Authors