Here’s a wakthrough with a direct link to the HASS MQTT settings to define a local user:
The MQTT add-on used to ignore (possibly blacklist) HASS users and credentials.
I’ve had a lot more success defining users in the add-on.
Use a MQTT tool like https://mqtt-explorer.com/ to check what credentials connect to Mosquitto. This is a great way of seeing how MQTT really works, and maintenance like removing retained configuration messages.
this post!