Real-time Chat Blog

Secure Chat Using PubNub Access Manager

4 min read Michael Carroll on Oct 24, 2013
Try PubNub Today

Free up to 1MM monthly messages. No credit card required.

Subscribe to our newsletter

By submitting this form, you are agreeing to our Terms and Conditions and Privacy Policy.

How to build a secure chat application using PubNub Access Manager for fine grain, serverless control over chat users.

Good News

Good News! We’ve launched an all new Chat Resource Center.

We recommend checking out our new Chat Resource Center, which includes overviews, tutorials, and design patterns for building and deploying mobile and web chat.

Take me to the Chat Resource Center →

PubNub-Access-ManagerOne of the fundamentals of building a successful application is having a great security model. Unfortunately, it also happens to be one of the most difficult and often overlooked features when building projects. In building PubNub Access Manager, we aimed to create an easy to use yet powerful security model for real-time applications, like secure chat.

To test and demonstrate these capabilities, we developed a text-based chat application with a single channel for secure chat. The users of the page can change their security rights to chat by asking permission from an app server that grants and revokes access. It does this by communicating through an unrestricted PubNub channel.

You can see the finished product as a full working secure chat demo here. It was all built using JavaScript in the front end and JavaScript on NodeJS in the back end. If you open up the JavaScript console while using the application, you see can see the access denied logs when you do not have access to the channel. This shows that when sending a message, it is always trying to access the server and not doing any client-side validation rules.

Getting Started with Secure Chat

secure chat

You’ll first need to sign up for a PubNub account. Once you sign up, you can get your unique PubNub keys in the PubNub Developer Portal.

To start, send a few messages before logging in to see that your access is denied. Then click “Login” and you will be given access for one minute to send messages to the channel. Open up the same page in a new window and you will see that none of your blocked messages make it to the other users, but when you have access they do.

The code to grant and revoke access to a channel is simple. First, you initiate PubNub on one of your app servers using the Secret Key with your account. This allows the server to modify the permissions for other users. It then has a command called “grant” that allows it to modify permissions. It can change both read and write permissions separately as well as providing a ttl to expire the permissions after a certain period of time.

This is a big step forward in securing real-time applications on the web. Typically a security model involves setting up a lot of core infrastructure that protects every access point of your application. With PubNub Access Manager, developers can let PubNub deal with the infrastructure of securing every user and just provide the rules of who can access what. This not only makes using PubNub as a security model easier to setup but also much more scalable than setting everything up without help.

secure chat

PubNub Access Manager

PubNub Access Manager (PAM) was designed to get you up and running quickly without jumping through hoops such as creating large configuration files for roles and users. We’ve created a whitelist authentication system that allows you to lock down certain channels for users that need access to secure data. It does this by validating all messages on the edge of our data stream network, ensuring no unsecure data will ever be pushed into a channel that a user does not have access to.

One of the benefits of this is that rules are always dynamic and can be changed by the application developer. Not only can they be changed on the fly, but can also be assigned on the key level, channel level, or specific client user level.

Once the server gets the message, it then gives the user access to the secure chat channel. It identifies users by a user-generated authorization key that is provided to the PubNub libraries. This works much like a unique user ID but one that can be shared across multiple users.

With PubNub Access Manager it’s just that easy to begin building truly secure real-time applications. Check out the resources below to learn more or head to the Developer’s Portal today to enable this new feature.


To read more about PubNub Access Manager, check out our documentation. Again, the full working PAM secure chat demo can be seen here. Additionally, the source code for the demo can be seen here.

Get Started
Sign up for free and use PubNub to power secure chat

More from PubNub

How to Add a Notification Badge to Icons in React Native
Real-time Chat BlogDec 19, 20226 min read

How to Add a Notification Badge to Icons in React Native

Display real-time notification badges with PubNub and React Native to display important information and bring users back to your...

Michael Carroll

Michael Carroll

Digital Twins and the Future of Real-Time Data
InsightsDec 6, 20224 min read

Digital Twins and the Future of Real-Time Data

The concept of Digital Twins has evolved over the last two decades, however, one thing remains the same: the need for real-time...

Michael Carroll

Michael Carroll

How Many Text Characters Fit in a 32KB PubNub Message?
Real-time Chat BlogNov 24, 20224 min read

How Many Text Characters Fit in a 32KB PubNub Message?

Learn the ins-and-outs of PubNub message size and get a better idea of how many text characters fit in a single message.

Michael Carroll

Michael Carroll