Secure Chat Using Access Manager

4 min read Michael Carroll on Oct 24, 2013

Good News

Good News! We’ve launched an all new Chat Resource Center.

We recommend checking out our new Chat Resource Center, which includes overviews, tutorials, and design patterns for building and deploying mobile and web chat.

Take me to the Chat Resource Center →

PubNub-Access-ManagerOne of the fundamentals of building a successful application is having a great security model. Unfortunately, it also happens to be one of the most difficult and often overlooked features when building projects. In building Access Manager, we aimed to create an easy to use yet powerful security model for real-time applications, like secure chat.

To test and demonstrate these capabilities, we developed a text-based chat application with a single channel for secure chat. The users of the page can change their security rights to chat by asking permission from an app server that grants and revokes access. It does this by communicating through an unrestricted PubNub channel.

You can see the finished product as a full working secure chat demo here. It was all built using JavaScript in the front end and JavaScript on NodeJS in the back end. If you open up the JavaScript console while using the application, you see can see the access denied logs when you do not have access to the channel. This shows that when sending a message, it is always trying to access the server and not doing any client-side validation rules.

Getting Started with Secure Chat

secure chat

You’ll first need to sign up for a PubNub account. Once you sign up, you can get your unique PubNub keys in the PubNub Developer Portal.

To start, send a few messages before logging in to see that your access is denied. Then click “Login” and you will be given access for one minute to send messages to the channel. Open up the same page in a new window and you will see that none of your blocked messages make it to the other users, but when you have access they do.

The code to grant and revoke access to a channel is simple. First, you initiate PubNub on one of your app servers using the Secret Key with your account. This allows the server to modify the permissions for other users. It then has a command called “grant” that allows it to modify permissions. It can change both read and write permissions separately as well as providing a ttl to expire the permissions after a certain period of time.

This is a big step forward in securing real-time applications on the web. Typically a security model involves setting up a lot of core infrastructure that protects every access point of your application. With Access Manager, developers can let PubNub deal with the infrastructure of securing every user and just provide the rules of who can access what. This not only makes using PubNub as a security model easier to setup but also much more scalable than setting everything up without help.

secure chat

Access Manager

Access Manager was designed to get you up and running quickly without jumping through hoops such as creating large configuration files for roles and users. We’ve created a whitelist authentication system that allows you to lock down certain channels for users that need access to secure data. It does this by validating all messages on the edge of our data stream network, ensuring no unsecure data will ever be pushed into a channel that a user does not have access to.

One of the benefits of this is that rules are always dynamic and can be changed by the application developer. Not only can they be changed on the fly, but can also be assigned on the key level, channel level, or specific client user level.

Once the server gets the message, it then gives the user access to the secure chat channel. It identifies users by a user-generated authorization key that is provided to the PubNub libraries. This works much like a unique user ID but one that can be shared across multiple users.

With Access Manager it’s just that easy to begin building truly secure real-time applications. Check out the resources below to learn more or head to the Developer’s Portal today to enable this new feature.


To read more about Access Manager, check out our documentation. Again, the full working Access Manager secure chat demo can be seen here. Additionally, the source code for the demo can be seen here.

Get Started
Sign up for free and use PubNub to power secure chat