Manage access

Often times it's necessary to limit users' access to resources, like channels or user metadata, within your application. For instance, you can set up a one-to-one chat room by only allowing two users to send and receive messages in a specific channel.

PubNub's access manager controls client access to resources using time-limited permission tokens. These tokens are granted by PubNub and contain an embedded list of permitted operations for the SDK which has that token. Once PubNub grants a token, it's added to the client SDK's configuration and is sent with every SDK call until it expires or is revoked.

Additionally, you may define a single UUID that can use the token. This way, no other UUID can use the token. If the authorized UUID is different than the UUID which sends the request, PubNub will deny the request.

Even though it's PubNub that grants the token, you request that a token be granted using an SDK. However, not every SDK instance may request tokens from PubNub. To use the access manager, you must first enable it on the Admin Portal and initialize one of PubNub's SDK using a secretKey. Then, that SDK acts as an intermediary between the clients that request access (SDKs) and PubNub.

Go to SDK

const pubnub = new PubNub({
   subscribeKey: 'mySubscribeKey',
   publishKey: 'myPublishKey',
   uuid: 'myUniqueUUID',
   secretKey: 'mySecretKey'
});

Go to SDK

PNConfiguration pn_config = new PNConfiguration();
pn_config.setPublishKey("myPublishKey");
pn_config.setSubscribeKey("mySubscribeKey");
pn_config.setUUID("myUniqueUUID");
pn_config.setSecretKey("mySecretKey");

PubNub pubnub = new PubNub(pn_config);

Go to SDK

PNConfiguration pnconfig = new PNConfiguration();
pnconfig.SubscribeKey = "mySubscribeKey";
pnconfig.PublishKey = "myPublishKey";
pnconfig.SecretKey = "mySecretKey";
pnconfig.Uuid = "myUniqueUuid";
Pubnub pubnub = new Pubnub(pnconfig);

Go to SDK

pn_config = PNConfiguration()
pn_config.publish_key = "my_publish_key"
pn_config.subscribe_key = "my_subscribe_key"
pn_config.uuid = "my_unique_uuid"
pn_config.secret_key = "my_secret_key"

pubnub = PubNub(pn_config)

To issue a grant request, you must make a call from the client SDK, which is the client that wants to have access, to the server SDK, which is the intermediary between clients and PubNub.

The code below grants the thomas_anderson UUID read access to channel-a and read/write access to channel-b, channel-c, and uuid-d for 15 minutes.

Go to SDK

pubnub.grantToken(
    {
        ttl: 15,
        authorized_uuid: "thomas_anderson",
        resources: {
            channels: {
                "channel-a": {
                    read: true
                },
               "channel-b": {
                    read: true,
                    write: true
                },
               "channel-c": {
                    read: true,
                    write: true
                }
            },
            uuids: {
                "uuid-d": {
                    get: true,
                    update: true
                }
            }
        }
    },
    function (status, token) {
        console.log(token)
    });

Go to SDK

pubnub.grantToken()
    .ttl(15)
    .authorizedUUID("thomas_anderson")
        .channels(Arrays.asList(
                ChannelGrant.name("channel-a").read(),
                ChannelGrant.name("channel-b").read().write(),
                ChannelGrant.name("channel-c").read().write(),
        .uuids(Arrays.asList(
                UUIDGrant.id("uuid-d").get().update()))
        .async(new PNCallback<PNGrantTokenResult>() {
            @Override
            public void onResponse(@Nullable PNGrantTokenResult result, @NotNull PNStatus status) {
                if (status.error()) {
                    // Handle error
                }
                else {
                    // Handle result
                }
            }
        }).sync();

Go to SDK

PNResult<PNAccessManagerTokenResult> grantTokenResponse = await pubnub.GrantToken()
    .TTL(15)
    .AuthorizedUuid("thomas_anderson")
    .Resources(new PNTokenResources()
    {
        Channels = new Dictionary<string, PNTokenAuthValues>() {
            { "channel-a", new PNTokenAuthValues() { Read = true } },
            { "channel-b", new PNTokenAuthValues() { Read = true, Write = true } },
            { "channel-c", new PNTokenAuthValues() { Read = true, Write = true } },
        Uuids = new Dictionary<string, PNTokenAuthValues>() {
            { "uuid-d", new PNTokenAuthValues() { Get = true, Update = true } }}
    })
    .ExecuteAsync();
PNAccessManagerTokenResult grantTokenResult = grantTokenResponse.Result;
PNStatus grantTokenStatus = grantTokenResponse.Status;
if (!grantTokenStatus.Error && grantTokenResult != null)
{
    Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenResult));
}
else
{
    Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenStatus));
}

Go to SDK

channels = [
    Channel.id("channel-a").read(),
    Channel.id("channel-b").read().write(),
    Channel.id("channel-c").read().write(),
]
uuids = [
    UUID.id("uuid-d").get().update()
]
envelope = pubnub.grant_token()
    .channels(channels)
    .ttl(15)
    .channel_groups(channel_groups)
    .uuids(uuids)
    .authorized_uuid("thomas_anderson")
    .sync()

When you grant permissions, you don't have to manually input every resource you want to grant or change access to. With a single call, you may grant access to multiple channels, channel groups, and UUID metadata using RegEx.

It's worth noting that PubNub allows you to add custom business logic on the server-side as well.

Add custom metadataAdd serverless business logic