[release] ChirpStack v4.6


Important note before you upgrade:

  • If you are migrating from ChirpStack v3 to ChirpStack v4 and are still using the ChirpStack Gateway Bridge v3.14.x, then you must add v4_migrate=true to your configuration as described by the v3 to v4 migration documentation.


End-to-end encryption

This feature makes it possible to implement end-to-end encryption between the end-device and end-application. On OTAA join, the join-server will provide Chirpstack with the encrypted AppSKey, which will be forwarded on every uplink to the end-application (integration events). The end-application then first decrypts the AppSKey with the KEK key shared between the JS and end-application, and then uses the decrypted AppSKey to decrypt the application payload.

On enqueue downlink, the end-application encrypts the application payload before enqueue. As well, it must set the f_cnt_down and is_encrypted fields such that ChirpStack knows that the payload is already encrypted and which downlink frame-counter was used during the encryption of the payload.

Note: This feature requires an external join-server.

Add chirpstack_integration crate

This chirpstack_integration crate can be used to build external integrations using the Redis Streams that are exposed by ChirpStack. An example implementation is the ChirpStack Pulsar Integration.

Tenant and application tags

This adds tags (like already can be found on device-profiles and devices) to tenants and applications. Note that the integration events will contain the aggregation of application + device-profile + device tags. Integration events will not contain the tenant tags.

Allow JoinEUI prefix configuration

This makes it possible to configure a JoinEUI prefix when configuring a join-server, to forward a range of JoinEUI to a single join-server without the need to add multiple join-server configuration blocks. As well, this makes it possible to configure a ‘catch-all’ join-server, using a JoinEUI prefix that would match all JoinEUIs.

Refactor streams API + expose Backend Interfaces requests

This moves some of the API:

  • meta/meta.protostreams/meta.proto
  • api/frame_log.protostreams/frames.proto
  • api/request_log.protostreams/api_requests.proto

If you are using these messages in your application, then you might need to update the import paths when updating the API SDK.

As well, this adds a new Redis Stream exposing the Backend Interfaces requests and responses (Passive Roaming + Join Server).

Add allow roaming option to Device Profile

This makes it possible to select which devices are allowed to use roaming and which devices not. This option can be configured in the device-profile. On migration this value will be set to true (as all devices could use roaming before this version).

Add assume_email_verified option for OIDC

Some OpenID Connect providers do not provide an email_verified value. By setting the assume_email_verified to true, ChirpStack will assume that the e-mail address has been verified. (#302)


  • Expose skip_f_cnt and device variables to ADR plugins.
  • Reset uplink ADR history table in case of DR / TxPower / NbTrans change.
  • Add secondary_net_ids configuration option.
  • Do not fail in case of corrupted mac-commands.
  • Use region default RX2 frequency if device-session RX2 frequency == 0.
  • Make it explicit that TX Power is in EIRP + update region configuration from ERP to EIRP.
  • Refactor device-lock / scheduler_run_after setting.
  • Ignore unknown JSON fields when decoding JSON to API structures in Rust.
  • Rename time to gw_time and add ns_time to the gateway rx-info struct.
  • Speed up API authorization validation queries (SQL).
  • Improve log output (better log messages + adding better correlation identifiers to each message).
  • Add preamble and no_crc fields to LoraModulationInfo (this is not used
    by ChirpStack, but it can be used by applications directly interacting with
    the gateway).
  • Omit null fields in Backend Interfaces JSON output. (#316)
  • Reduce dependencies for AWS SNS integration by replacing aws-sdk-sns crate with aws-sign-v4 + REST call.
  • Make device metric name optional. (#313)
  • Get all device-data in a single query to improve performance.
  • Change v4_migrate default to false (please v3 to v4 migration guide).


  • Debian package: Fix postinst to only run on install. (#295)
  • Fix setting initial tags in tenant form (UI).
  • Use unbounded MQTT client channels / fix dropping MQTT messages under high load.
  • Add misspelled UnkownReceiver as valid ResultCode in Backend Interfaces (this is a typo in the specifications). (#317)
  • Reload device on change event. (#319)
  • Fix sending empty downlink to Relay in case uplink ADRACKReq bit was set.
  • Return error in ThingsBoard integration if ThingsBoardAccessToken is not set. (#277)
  • Rename time to gw_time and add ns_time to the gateway rx-info struct.

Will this fix the issue as described here? (NOTE: issue was created in chirpstack-concentratord repo since its the only app that is affected by the described issue, but it might be chirpstack related)

If you are using JSON for debugging, then yes. If you are using Protobuf (default) then there was no issue. This release also ignores unknown JSON fields instead of throwing an error.


Thanks a lot (again) for the great work.

When I’m trying to build Chirpstack from Docker according to the documentation, it still seems to build it based on 4.4. Is this normal ?


Just for other people to know: you can add 4.6.0 at the end of the image version in the yaml (instead of 4) and it will force the use of the correct version in the build process.
I still don’t understand why the latest stable is not used but at least there is an easy solution.

I don’t see why it wouldn’t 4 and 4.6.0 have matching hashes:


I’m using just 4 as my tag and get 4.6.0 when I pull and start.