AWS IoT MQTT Client for iPhone and iPad
MQTT Commander gives IoT developers and field engineers a native iOS tool to connect directly to AWS IoT Core from their phone. Import your device certificate in the Certificate Wizard, configure ALPN and SNI in seconds, and debug policy or handshake failures with Connection Doctor — all without leaving the field.
Coming soon to the App Store · $2.99
Who it's for
- IoT developers testing AWS IoT Core device connections from an iPhone or iPad
- Field engineers who need to verify a device certificate and MQTT policy on-site
- QA teams reproducing TLS handshake or MQTT CONNACK errors in staging environments
- Makers and hobbyists connecting ESP32 or Raspberry Pi projects through AWS IoT Core
- Security engineers auditing certificate expiry, SAN, and CN fields on live endpoints
Import Your AWS IoT Device Certificate in Seconds
AWS IoT Core issues each device a unique X.509 certificate, a private key, and a root CA — and MQTT Commander’s Certificate Wizard accepts all of them. You can import a .p12 or .pfx bundle (with optional passphrase) or paste the PEM files individually: CA certificate, client certificate, and private key. The wizard validates the full chain, checks expiry dates, and inspects the SAN and CN fields so you catch mis-issued certificates before they reach your fleet. Private keys never leave the device — they are stored exclusively in the iOS Keychain.
ALPN, SNI, and Port Configuration for AWS IoT Core
AWS IoT Core supports two TLS connection paths: port 8883 using standard MQTT-over-TLS, and port 443 using TLS with the ALPN protocol identifier x-amzn-mqtt-ca. Port 443 is useful in networks that block non-HTTPS outbound traffic. MQTT Commander lets you enter your endpoint (for example a1b2c3d4e5f6g7.iot.us-east-1.amazonaws.com), select port 8883 or 443, and add x-amzn-mqtt-ca to the ALPN list with a single tap. You can also set a custom SNI hostname if your IoT Core endpoint differs from the TLS server name, which is required for private CA setups and custom domain configurations.
Diagnosing Handshake and Policy Errors with Connection Doctor
When a connection to AWS IoT Core fails, the error is rarely obvious. Connection Doctor runs a seven-stage diagnostic sequence — Input validation, DNS resolution, TCP reachability, TLS handshake, WebSocket upgrade (if applicable), MQTT CONNECT, and Subscription — and stops at the first failure with a plain-English explanation. TLS errors such as CERTIFICATE_VERIFY_FAILED or HANDSHAKE_FAILURE are decoded and linked to likely causes (wrong root CA, expired certificate, or SNI mismatch). MQTT 5 CONNACK reason codes like 0x87 Not Authorized are mapped to AWS IoT policy actions so you know exactly which iot:Connect, iot:Publish, or iot:Subscribe permission to add. See the AWS IoT guide for a full walkthrough of common error patterns.
MQTT 3.1.1 and 5.0 over TCP, TLS, WebSocket, and WSS
MQTT Commander supports MQTT 3.1.1 and MQTT 5.0, QoS levels 0, 1, and 2, and all four transport types: plain TCP, TLS, WebSocket, and WebSocket Secure (WSS). AWS IoT Core uses TLS on port 8883 or WSS on port 443. You can switch between protocol versions without recreating the connection profile — useful when you need to compare MQTT 5 session properties such as SessionExpiryInterval or TopicAliasMaximum against a MQTT 3.1.1 baseline. All broker credentials and message data stay on-device; only anonymous, opt-out crash diagnostics are ever sent off the device.
Works on iPhone and iPad — iOS 15 and Later
MQTT Commander is a native SwiftUI app built for iOS and iPadOS 15 and later, optimized for both the small screen of an iPhone and the larger canvas of an iPad. It is a one-time $2.99 purchase with no subscription, no seat licensing, and no usage caps. Updates are included. Whether you are verifying a production AWS IoT Core endpoint from the factory floor or stress-testing a message pipeline from a conference room, the full feature set — Certificate Wizard, Connection Doctor, QoS 0/1/2 publishing, retained messages, and wildcard subscriptions — is always available.
Frequently asked questions
Which certificate formats does MQTT Commander accept for AWS IoT Core?
MQTT Commander accepts .p12 and .pfx bundles (with optional passphrase) as well as individual PEM files for the CA certificate, client certificate, and private key. AWS IoT Core provides all three PEM files when you register a device in the console. The Certificate Wizard validates the chain, expiry dates, and SAN/CN fields, then stores the private key in the iOS Keychain.
Should I use port 8883 or port 443 with ALPN x-amzn-mqtt-ca?
Use port 8883 for standard MQTT over TLS whenever your network allows outbound traffic on that port. Use port 443 with the ALPN protocol identifier x-amzn-mqtt-ca when you are on a network that restricts outbound connections to HTTPS only, such as a corporate Wi-Fi or a hotel network. Both options require mutual TLS with your device certificate.
How do I find my AWS IoT Core endpoint?
Open the AWS console, navigate to IoT Core, and select Settings from the left sidebar. Your custom endpoint is listed there and looks like a1b2c3d4e5f6g7.iot.us-east-1.amazonaws.com. You can also retrieve it with the AWS CLI command: aws iot describe-endpoint --endpoint-type iot:Data-ATS. Paste this value into the Host field in MQTT Commander and leave the SNI field blank unless you are using a custom domain or private CA.
What does Connection Doctor show when AWS IoT Core rejects my certificate?
Connection Doctor stops at the TLS stage and shows the specific TLS alert code returned by AWS IoT Core, such as CERTIFICATE_VERIFY_FAILED or HANDSHAKE_FAILURE, along with a plain-English explanation. Common causes are using an incorrect root CA (AWS IoT requires the Amazon Root CA 1 or CA 3 for ATS endpoints), an expired client certificate, or a CN or SAN mismatch. The tool also tells you whether the failure occurred during the client handshake or the server handshake so you can narrow down whether the problem is on your end or the broker’s.
What happens when AWS IoT Core returns a Not Authorized CONNACK?
After a successful TLS handshake, AWS IoT Core evaluates the attached IoT policy before completing the MQTT CONNECT. If the policy does not grant iot:Connect for the client ID you used, it returns a CONNACK with reason code 0x87 (Not Authorized). Connection Doctor decodes this code and tells you which policy action to check. You then open the AWS console, find the certificate, view the attached policy, and add the missing iot:Connect, iot:Publish, or iot:Subscribe permission for the relevant topic ARN.
Does MQTT Commander send my AWS IoT credentials or messages to any server?
No. All broker credentials, certificates, private keys, and MQTT message payloads are stored on your device only. Private keys are kept in the iOS Keychain and never leave the device. The only data sent off-device is anonymous, opt-out crash and usage diagnostics collected by Sentry and Aptabase, which contain no broker addresses, credentials, or message content.
Get MQTT Commander
Native for iPhone & iPad. $2.99, one-time.
Coming soon to the App Store · $2.99