Mattermost Production Guide

Overview

Mattermost is an open-source, self-hosted messaging platform designed as a Slack alternative for organizations that need to keep their communications data on-premises or within their own cloud accounts. Built by Mattermost, Inc. (founded 2016, originating from SpinPunch Inc.'s internal chat tool open-sourced in 2015), it provides channels, direct messages, threaded conversations, file sharing, and search — all under your control.

The platform is written in Go on the backend and React on the frontend, delivering a modern chat experience that teams can deploy behind their firewall. Mattermost positions itself specifically for security-conscious organizations in government, defense, financial services, and healthcare where data sovereignty is non-negotiable.

Core messaging concepts

Channels — Public and private channels organize conversations by topic, project, or team. Similar to Slack channels
Direct messages — One-on-one and group DMs for private conversations outside of channels
Threads — Threaded replies keep discussions organized within channels, preventing important context from being lost in scroll
File sharing — Drag-and-drop file uploads with preview support for images, PDFs, and code files
Search — Full-text search across all messages, with filters by channel, user, and date range

Positioning vs. Slack and Microsoft Teams

vs Slack

Self-hosted — your data never leaves your infrastructure
No per-user pricing surprises at scale
Full API access and source code for customization
Air-gapped deployment capability
Slack has a much larger plugin ecosystem and more polished UX

vs Microsoft Teams

No Microsoft 365 dependency or Azure AD requirement
Runs on Linux — no Windows Server needed
Open-source core — audit the code yourself
Lightweight — no Electron bloat on the server side
Teams has deeper Office 365 integration and video calling built-in

Recommendation

Mattermost is the right choice when the organization requires data sovereignty, air-gapped deployment, or full control over their messaging infrastructure. If none of these apply and the org already has Slack or Teams, migrating to Mattermost rarely makes sense unless cost at scale is the driver.

Architecture

Mattermost follows a straightforward three-tier architecture: a stateless application server, a relational database, and a file storage backend. Real-time message delivery is handled via WebSocket connections.

┌──────────────┐ │ Nginx / │ │ HAProxy │ │ (Reverse │ │ Proxy) │ └──────┬───────┘ │ ┌────────────┼────────────┐ │ │ │ ┌──────▼──┐ ┌──────▼──┐ ┌──────▼──┐ │ MM Node │ │ MM Node │ │ MM Node │ │ (Go) │ │ (Go) │ │ (Go) │ └────┬────┘ └────┬────┘ └────┬────┘ │ │ │ └────────────┼────────────┘ ┌─────┴─────┐ │ │ ┌──────▼──┐ ┌────▼──────┐ │ Postgres │ │ File Store│ │ (or │ │ (S3/MinIO/│ │ MySQL) │ │ local) │ └──────────┘ └───────────┘

Backend — Go application server

The Mattermost server is a single Go binary that handles HTTP REST API requests, WebSocket connections for real-time messaging, plugin execution, and scheduled jobs (e.g., data retention, LDAP sync). It is stateless by design, which means you can run multiple instances behind a load balancer for horizontal scaling.

Frontend — React web application

The web client is a React single-page application served by the Go server. Desktop clients (Windows, macOS, Linux) are Electron wrappers around the same React app. Mobile clients (iOS, Android) use React Native. All clients communicate with the server via the REST API and WebSocket.

Database

PostgreSQL is the recommended database. MySQL is also supported but PostgreSQL receives more testing and better optimization from the Mattermost team. The database stores users, channels, messages, reactions, file metadata, configuration, and all application state.

Note

Starting with Mattermost v8, PostgreSQL became the primary supported database. MySQL support for new installations was removed in v10, and full MySQL deprecation is targeted for v11. Mattermost provides a migration guide and tooling for moving from MySQL to PostgreSQL. For new deployments, always choose PostgreSQL (v14+).

File storage

Uploaded files (images, documents, attachments) are stored separately from the database. Supported backends include:

Local filesystem — Simple, but not suitable for HA (unless on shared storage like NFS)
Amazon S3 — Recommended for production. Supports any S3-compatible API
MinIO — Self-hosted S3-compatible storage. Good for on-prem deployments

Reverse proxy

Nginx or HAProxy sits in front of Mattermost to handle TLS termination, static file serving, and WebSocket upgrade. The reverse proxy is critical for production — never expose the Mattermost port directly to the internet.

Deployment

Mattermost can be deployed in several ways depending on scale, infrastructure, and operational maturity. Each method trades simplicity for flexibility.

Docker

Official Docker images are published to Docker Hub. Mattermost provides a docker-compose.yml that bundles the app server, PostgreSQL, and Nginx. This is the fastest way to get a working instance.

Best for: development, testing, small teams
Not recommended for large-scale production without container orchestration

Omnibus package (EOL)

The Mattermost Omnibus package bundled the server, PostgreSQL, Nginx, and certbot into a single apt package for Debian/Ubuntu. Omnibus reached end-of-life with v10.12 (September 2025) and no new releases are available starting with v11. Existing users should migrate to Docker, Kubernetes, or a manual tarball deployment.

No longer recommended for new deployments
Existing installs should plan migration to a supported method

Kubernetes

The Mattermost Kubernetes Operator manages the full lifecycle of Mattermost deployments on Kubernetes. It handles provisioning, scaling, upgrades, and database management.

Best for: large-scale, multi-instance, cloud-native deployments
Requires Kubernetes expertise
Supports the Mattermost custom resource definition (CRD)

Cloud marketplace

Pre-built images available on AWS Marketplace, Azure, and DigitalOcean. These are AMIs or VM images with Mattermost pre-installed.

Best for: quick cloud deployments
May lag behind the latest release

Recommended production setup

For a production deployment serving 500+ users, the recommended architecture is:

2+ Mattermost app nodes behind a load balancer
PostgreSQL with streaming replication (primary + replica)
S3 or MinIO for file storage (shared across nodes)
Nginx or HAProxy as reverse proxy with TLS termination
Elasticsearch or OpenSearch (optional, Enterprise) for improved search performance at scale. The experimental Bleve search engine was retired in v11

# Example: Docker Compose quickstart
git clone https://github.com/mattermost/docker
cd docker
cp env.example .env
# Edit .env to set domain, database credentials, etc.
docker compose -f docker-compose.yml -f docker-compose.nginx.yml up -d

Recommendation

For production, always use external PostgreSQL rather than the bundled container database. Use managed PostgreSQL (RDS, Cloud SQL) or a properly backed-up self-managed instance. The Docker Compose database is fine for testing but should never be used for production data.

High Availability

Mattermost supports high availability through a multi-node cluster architecture. Multiple Mattermost application servers run behind a load balancer, sharing the same database and file storage backend. This provides both redundancy and horizontal scaling.

Cluster mode

Mattermost cluster mode uses a gossip protocol for inter-node communication. When a message is posted on one node, it is broadcast to all other nodes via the cluster, which then push the message to their connected WebSocket clients. This ensures all users see messages in real-time regardless of which node they are connected to.

Enable clustering in config.json under ClusterSettings
All nodes must share the same ClusterName and the same database
Nodes discover each other via gossip (Hashicorp Memberlist) on a configurable port, with AES-256 encryption by default

Database HA

The database is typically the single point of failure. Options for database high availability include:

Patroni

Patroni manages PostgreSQL failover with etcd/consul for leader election. Provides automatic failover with configurable timeouts. The industry standard for self-managed PostgreSQL HA.

Managed (RDS/Cloud SQL)

AWS RDS Multi-AZ or Google Cloud SQL with automatic failover. Simplest option with built-in backups, patching, and monitoring. Recommended when running in a public cloud.

Shared file storage

In a multi-node cluster, file storage must be shared. Local filesystem storage will not work because a file uploaded to node A will not be accessible from node B. Use S3 or MinIO as the file backend for any HA deployment.

Load balancing

The load balancer must support WebSocket connections. Configure:

WebSocket sticky sessions — Use IP hash or cookie-based session affinity so that a user's WebSocket connection stays on the same backend node. This prevents reconnection storms.
Health checks — Use the /api/v4/system/ping endpoint to determine node health
TLS termination — Terminate TLS at the load balancer and use plain HTTP to backends (or re-encrypt if required)

Warning

Without WebSocket sticky sessions, users will experience frequent disconnections and message delivery delays. This is the most common misconfiguration in Mattermost HA deployments. If using Nginx, set ip_hash in the upstream block. If using HAProxy, use balance source or cookie-based persistence.

Integrations

Mattermost provides a rich integration ecosystem that lets teams connect their messaging platform with the tools they already use. Integrations range from simple webhooks to full server-side plugins.

Webhooks

Incoming webhooks — Accept HTTP POST requests from external services and post messages to a channel. Great for CI/CD notifications, monitoring alerts, and custom integrations
Outgoing webhooks — Trigger an HTTP POST to an external URL when a message matches a pattern or is posted to a specific channel. Useful for building custom bot responses

Slash commands

Custom slash commands let users trigger external actions from the message input. When a user types /deploy production, Mattermost sends a POST request to your configured endpoint, which can execute the deployment and return a response message.

Bots

Bot accounts are special accounts that can post messages, respond to events, and interact with channels via the REST API. Unlike webhooks, bots can listen to events across multiple channels and maintain state. Bots authenticate via personal access tokens.

Plugin ecosystem

The plugin system is Mattermost's most powerful integration mechanism. Plugins run inside the server process and can extend both the backend (Go) and the frontend (React).

DevOps plugins

Jira — Create, view, and transition issues from chat
GitLab — MR notifications, slash commands for repo actions
GitHub — PR reviews, issue notifications, repo subscriptions
Jenkins — Trigger builds and receive status notifications
CircleCI — Pipeline status and build notifications

Collaboration plugins

Zoom — Start meetings with a slash command
Microsoft Teams — Bridge messages between Mattermost and Teams
Playbooks — Incident response and process automation
Boards — Kanban-style project management (maintenance mode — removed from marketplace, bug fixes only for Enterprise customers)
Calls — Built-in audio calling and screen sharing via WebRTC (group calls require Professional or Enterprise)

Plugin marketplace

The Mattermost Plugin Marketplace is accessible from the System Console. It provides one-click install for community and Mattermost-maintained plugins. In air-gapped environments, plugins can be uploaded manually as .tar.gz bundles.

REST API

The Mattermost REST API (v4) provides full programmatic access to every feature: users, channels, posts, files, teams, roles, and system configuration. All integrations ultimately use this API. Authentication is via bearer tokens (personal access tokens or OAuth 2.0).

# Example: Post a message via the REST API
curl -X POST https://mattermost.example.com/api/v4/posts \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "channel_id": "channel_id_here",
    "message": "Deployment to production completed successfully."
  }'

Authentication

Mattermost supports multiple authentication backends that can be configured to match enterprise identity infrastructure. Multiple authentication methods (email, LDAP, SAML, OIDC) can be enabled system-wide simultaneously, but each user account is assigned to a single authentication method. Switching a user between methods requires first switching to email, then to the target method.

LDAP / Active Directory

Connect to LDAP/AD for user authentication and profile sync
Configurable attribute mapping (username, email, first/last name, nickname)
LDAP group sync maps AD groups to Mattermost teams and channels (Enterprise)
Scheduled sync interval pulls user changes from the directory
Supports LDAP over TLS (LDAPS) and STARTTLS

SAML 2.0

SAML single sign-on integrates with identity providers like Okta, Azure AD, ADFS, OneLogin, and Keycloak. Mattermost acts as the Service Provider (SP). SAML provides:

Single sign-on and single sign-out
Attribute mapping from SAML assertions to user fields
Group sync via SAML group assertions (Enterprise)
Certificate-based trust between IdP and SP

OpenID Connect (OIDC)

OIDC is the recommended approach for modern identity setups. Supported providers include:

Keycloak

Popular choice for self-hosted environments. Keycloak provides the OIDC identity layer while Mattermost acts as the relying party. Supports group-to-team mapping through custom claims.

Azure AD / Okta

Cloud identity providers. Configure the OAuth 2.0 / OIDC application in your provider, then add the client ID, secret, and discovery endpoint to Mattermost config.

Multi-factor authentication (MFA)

Mattermost supports TOTP-based MFA (Google Authenticator, Authy, etc.). MFA can be enforced system-wide so that all users must configure a second factor. When using SAML or OIDC, MFA should be handled at the identity provider level rather than in Mattermost.

Guest accounts

Guest accounts allow external collaborators (vendors, contractors, partners) to participate in specific channels without having full team membership. Guests can only see channels they are explicitly invited to, and their permissions are restricted by default.

Recommendation

Use OIDC with Keycloak for self-hosted environments and SAML with Azure AD or Okta for cloud-integrated setups. Always enforce MFA at the identity provider level. Disable email/password authentication once SSO is configured to prevent bypass.

Channels & Permissions

Mattermost uses a hierarchical permission model based on system roles, team roles, and channel roles. Understanding this model is critical for properly securing a deployment.

Channel types

Public channels — Visible to all team members. Anyone can join. Good for broad topics like #general, #engineering, #announcements
Private channels — Invite-only. Not visible in channel listings to non-members. Used for sensitive discussions, HR, security teams
Direct messages — One-on-one conversations between two users
Group messages — Ad-hoc conversations between 3-7 users (default limit, configurable) without creating a formal channel

Team management

Mattermost organizes users into teams. Each team has its own set of channels, and users can belong to multiple teams. Teams can be open (anyone can join) or invite-only. In large organizations, teams typically map to departments or business units.

Permission schemes

Permission schemes allow administrators to customize what each role can do at the system, team, and channel level. This is an Enterprise feature that provides fine-grained control over:

Who can create public/private channels
Who can delete or archive channels
Who can manage channel members
Who can post in read-only announcement channels
Who can use slash commands or integrations

Channel moderation

Channel moderation (Enterprise) allows overriding permissions on a per-channel basis. For example, you can create an #announcements channel where only admins can post but everyone can read and react. This is configured per-channel in the channel settings.

Compliance exports

For regulated industries, Mattermost Enterprise supports compliance exports in Actiance XML, Global Relay EML, and CSV formats. Exports can be scheduled to run daily and include all messages, file metadata, edits, and deletions. This is required for financial services (FINRA, SEC), healthcare (HIPAA), and government (FedRAMP) compliance.

Caution

Channel moderation is an Enterprise feature, and advanced permission schemes require Professional or Enterprise. On the free editions, you only get the default role-based permissions with limited customization. If the client needs granular channel-level controls, they need at least an Enterprise license.

Administration

Mattermost provides multiple interfaces for system administration, from a web-based System Console to the mmctl command-line tool.

System Console

The System Console is a web UI accessible to system administrators at /admin_console. It provides configuration for every aspect of the server: authentication, notifications, file storage, plugins, compliance, reporting, and more. Changes made in the System Console are written to config.json (or the database if using database config).

mmctl — command-line administration

The mmctl tool is a remote CLI that communicates with Mattermost via the REST API. It replaces the older mattermost CLI and can be run from any machine, not just the server host.

# Common mmctl commands
mmctl auth login https://mattermost.example.com
mmctl user list
mmctl channel create --team myteam --name new-channel --display-name "New Channel"
mmctl post create myteam:town-square --message "Server maintenance at 2am"
mmctl plugin install plugin-id
mmctl config set ServiceSettings.EnableDeveloper true

Bulk import/export

Mattermost supports bulk import/export in JSONL format for migrating data between instances or from other platforms (Slack, HipChat, MS Teams). The bulk import handles users, teams, channels, posts, reactions, and file attachments.

# Export data
mmctl export create
mmctl export download export-file.zip

# Import from Slack
mmctl import process slack-export.zip

Data retention policies

Enterprise deployments can configure automatic data retention policies that delete messages and files older than a specified number of days. Policies can be applied globally or per-channel. This is essential for compliance (some regulations require deletion after a period) and for managing storage growth.

Custom branding

Mattermost supports custom branding including: custom site name, custom login page text, custom brand image on the login screen, and custom link in the help menu. Enterprise adds the ability to customize announcement banners and the about page.

Custom emoji

Users can upload custom emoji (if permitted by the system admin). Custom emoji are stored in the file backend and available to all users on the server. This is a small but important feature for team culture and engagement.

Tip

Store Mattermost configuration in the database rather than config.json for production deployments. Database config is required for HA (all nodes read from the same config source) and enables config changes via the System Console without file access. Set MM_CONFIG environment variable to a database DSN to enable this.

Licensing

Mattermost uses an open-core licensing model. The free edition provides a fully functional messaging platform, while paid editions add enterprise features for compliance, scale, and administration.

Feature	Free (Entry/Team)	Professional	Enterprise
Channels, DMs, threads, search	Yes	Yes	Yes
Webhooks, slash commands, bots	Yes	Yes	Yes
Plugins & marketplace	Yes	Yes	Yes
SSO (SAML, OIDC)	No	Yes	Yes
LDAP group sync	No	No	Yes
Guest accounts	No	Yes	Yes
Permission schemes	Basic	Advanced	Full
Channel moderation	No	No	Yes
Compliance exports	No	No	Yes
Data retention policies	No	No	Yes
High availability clustering	No	No	Yes
Elasticsearch	No	No	Yes
Playbooks	Basic	Yes	Yes
Support	Community	Business hours	24/7 Premier
Pricing	Free	$10/user/mo	Custom

Key licensing considerations

HA clustering requires Enterprise. If the organization needs multi-node deployment for redundancy, they must purchase the Enterprise license. Professional does not include clustering. For a single-server deployment where occasional downtime is acceptable, Free or Professional may suffice.

Free tier changes (v11+)

As of Mattermost v11, the default free edition is Entry, which includes Enterprise-level features but enforces a 10,000 message history limit and supports up to ~100 users. The older Team edition (no message limit, up to 250 users, no SSO) remains available for small teams and hobbyists. Evaluate which free tier fits the use case before recommending.

Licenses are applied in the System Console under Edition and License. The license is a JSON file tied to the organization name, user count, and expiration date. When a license expires, Enterprise features are disabled but the server continues to function on Free edition capabilities.

Consultant's Checklist

Use this checklist when evaluating or deploying Mattermost for a client.

Infrastructure

PostgreSQL selected as database (not MySQL)
S3 or MinIO configured for file storage
Reverse proxy (Nginx/HAProxy) with TLS termination
WebSocket proxy pass configured correctly
Sufficient RAM (4 GB for up to 500 users, 8 GB for 500–1,000 users, 16–32 GB for 1,000+ users)
Database backups scheduled and tested
Log aggregation configured (stdout to ELK/Loki)

Authentication

SSO configured (SAML, OIDC, or LDAP)
Email/password auth disabled after SSO is live
MFA enforced at the IdP level
Guest account policy defined
Session length and idle timeout configured
Personal access token policy set

High Availability

Enterprise license applied (required for HA)
Multiple app nodes behind load balancer
WebSocket sticky sessions configured
Database HA (Patroni, RDS Multi-AZ, etc.)
Shared file storage (S3/MinIO) in use
Cluster gossip port open between nodes
Health check endpoint monitored

Security & Compliance

Rate limiting enabled
CORS settings restricted to known origins
Compliance exports configured (if required)
Data retention policies set
File upload size limits configured
Plugin upload restricted to admins
Audit log reviewed regularly

Operations

mmctl configured for remote administration
Config stored in database (not file) for HA
Upgrade plan documented (test upgrades on staging first)
Custom branding applied
Notification settings tuned (email, push, desktop defaults)
Channel naming conventions established
Integration inventory maintained (which webhooks, plugins, bots are deployed)
Elasticsearch or OpenSearch deployed for search at scale (1,000+ users, Enterprise required)

Webhooks

HTTP-based integration mechanism for posting and receiving messages

What are webhooks?

Webhooks are simple HTTP callbacks that allow external services to interact with Mattermost without building a full bot or plugin. They come in two types:

Incoming webhooks

An incoming webhook provides a unique URL endpoint. Any service that can make an HTTP POST request can send messages to a Mattermost channel by posting a JSON payload to this URL. No authentication token is needed — the URL itself acts as the credential.

# Send a message via incoming webhook
curl -X POST https://mattermost.example.com/hooks/HOOK_ID \
  -H "Content-Type: application/json" \
  -d '{"text": "Build #142 passed", "channel": "ci-notifications"}'

Incoming webhooks support Markdown formatting, attachments, custom usernames, and custom icons. They are the simplest way to get notifications from CI/CD pipelines, monitoring systems, and custom scripts into Mattermost.

Outgoing webhooks

Outgoing webhooks listen for messages in a channel (or messages starting with a trigger word) and send the message content to an external URL via HTTP POST. The external service can then process the message and return a response that gets posted back to the channel.

Outgoing webhooks are limited to public channels only. For private channels and DMs, use a bot account or plugin instead.

Security note: Incoming webhook URLs should be treated as secrets. Anyone who has the URL can post messages to your channel. Rotate webhook URLs if they are accidentally exposed. Consider using a plugin or bot with proper token authentication for sensitive integrations.

Plugins

Server-side and client-side extensions that run inside the Mattermost process

How plugins work

Mattermost plugins are bundles that can contain a server component (Go), a webapp component (React), or both. The server component runs as a subprocess managed by the Mattermost server, communicating via RPC. The webapp component is loaded as a JavaScript bundle in the browser.

Server-side capabilities

Hook into message events (before/after post creation, editing, deletion)
Register new API endpoints under /plugins/{plugin-id}/
Store key-value data in the plugin KV store
Schedule periodic jobs
Send bot messages, manage channels, modify users
Intercept and modify HTTP requests

Client-side capabilities

Add buttons to the channel header and post menu
Register custom components in the right-hand sidebar
Override the center channel with custom views
Add custom settings pages

Plugin management

Plugins are managed via the System Console or mmctl plugin commands. In air-gapped environments, plugins must be downloaded externally and uploaded as .tar.gz files. The plugin marketplace can be pointed to a local mirror if needed.

Consultant tip: Always vet third-party plugins before deploying to production. Server-side plugins run with full access to the Mattermost API and database. Only install plugins from the official marketplace or trusted sources. Review the plugin source code if possible.

mmctl

Remote command-line tool for Mattermost server administration

What is mmctl?

mmctl is the official CLI tool for administering a Mattermost server remotely. Unlike the legacy mattermost CLI (which required running commands on the server host), mmctl communicates over the REST API and can be run from any workstation.

Authentication

Before using mmctl, you authenticate against your Mattermost server:

mmctl auth login https://mattermost.example.com --name myserver
# Enter username and password when prompted
# Credentials are stored in ~/.config/mmctl/credentials

Common operations

# User management
mmctl user list
mmctl user create --email user@example.com --username newuser --password 'P@ssw0rd'
mmctl user deactivate username

# Channel management
mmctl channel create --team myteam --name ops --display-name "Operations"
mmctl channel archive myteam:old-channel
mmctl channel users add myteam:ops username1 username2

# Plugin management
mmctl plugin list
mmctl plugin install --url https://plugin-url.tar.gz
mmctl plugin enable com.mattermost.jira

# Configuration
mmctl config get SqlSettings.DriverName
mmctl config set ServiceSettings.SiteURL "https://chat.example.com"

# Bulk operations
mmctl export create --format bulk
mmctl import process import-file.zip

Tip: Use mmctl in CI/CD pipelines for automated channel creation, user provisioning, and configuration management. It supports --json output for scripting and --local mode for running on the server host without API authentication.

WebSocket

Persistent bidirectional connection for real-time message delivery

What is WebSocket?

WebSocket is a communication protocol that provides full-duplex communication channels over a single TCP connection. Unlike HTTP (which is request-response), WebSocket allows the server to push data to the client at any time without the client having to poll.

How Mattermost uses WebSocket

When a user opens Mattermost in their browser or desktop app, the client establishes a WebSocket connection to the server at /api/v4/websocket. This connection remains open for the duration of the session. The server pushes events through this connection:

New messages posted to channels the user is in
Message edits and deletions
Typing indicators
User status changes (online, away, offline)
Channel updates (new members, renames)
Reaction additions and removals

Reverse proxy configuration

The reverse proxy must be configured to support WebSocket upgrade. This is the most common point of failure in Mattermost deployments:

# Nginx WebSocket configuration
location ~ /api/v4/(users/)?websocket$ {
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://mattermost_backend;
    proxy_read_timeout 600s;
}

Troubleshooting

If users see "WebSocket connection failed" errors or messages are not appearing in real-time, check:

Reverse proxy is passing Upgrade and Connection headers
No intermediary (CDN, WAF, firewall) is stripping WebSocket headers
proxy_read_timeout is set high enough (at least 600s)
In HA mode, sticky sessions are configured

Consultant tip: Always test WebSocket connectivity separately from HTTP. Use browser dev tools (Network tab, filter by WS) to verify the WebSocket connection is established and receiving events. A working HTTP connection does not guarantee WebSocket is working.

Playbooks

Structured incident response and repeatable process automation

What are Playbooks?

Mattermost Playbooks is a built-in feature (previously a plugin) that provides structured workflows for incident response, release management, and any repeatable process. A playbook defines a checklist of tasks, automated actions, and status updates that guide a team through a process.

Key concepts

Playbook — A reusable template that defines the stages, checklists, and automations for a process
Run — An instance of a playbook, triggered when an incident or process starts
Checklists — Step-by-step tasks that participants work through during a run
Status updates — Regular updates posted to a channel or broadcast to stakeholders
Retrospective — Post-run review to capture lessons learned

Common use cases

Incident response — On-call engineer triggers a playbook run, automatically creates a dedicated channel, invites the incident team, and walks through resolution steps
Release management — Track release readiness with checklists for QA, security review, documentation, and deployment
Employee onboarding — Automated checklist for new hire setup: accounts, equipment, training modules

Automations

Playbooks can trigger automated actions at various stages:

Create a dedicated channel when a run starts
Invite specific users or on-call groups automatically
Send webhook notifications to external systems (PagerDuty, Slack, etc.)
Prompt for status updates at configurable intervals
Export timeline and retrospective data

Note: Basic Playbooks functionality is available on Free edition (up to 5 playbooks). Professional and Enterprise editions remove limits and add features like retrospective reports, metrics dashboards, and channel-based exports.