PubNub Logo Docs
Support Contact Sales Login Try Our APIs

›First steps

Collapse all
Dark mode

Home

  • Home

First steps

  • Set up your account
  • Get the SDK
  • Initialize PubNub
  • Identify users and devices
  • Send messages
  • Receive messages
  • Retrieve old messages
  • Check user presence
  • Add custom metadata
  • Manage access
  • Add serverless business logic
  • Send push notifications

Setup

  • PubNub account
  • Application
  • Users & devices
  • Connection management
  • Data security
  • Data persistence
  • API limits

Chat

  • In-App Chat

SDKs

  • SDKs

Messages

  • Publish
  • Receive
  • Actions
  • Payload type conventions

Channels

  • Basics
  • Subscription
  • Naming conventions

User presence

  • Basics
  • Events
  • State
  • Webhooks

Metadata

  • Channel
  • User
  • Membership

Message Persistence

  • Message Persistence

File sharing

  • File sharing

Access management

  • Manage access

Push notifications

  • Basics
  • iOS
  • Android
  • Troubleshooting

Best practices

  • Architectural choices
  • Message aggregation
  • Friend list & status feed
  • Troubleshooting
  • Migration guides

Serverless processing

    EVENTS & ACTIONS

    • Basics
    • Configure Events & Actions

    FUNCTIONS

    • Basics
    • Development guidelines
    • Functions API
    • Custom integrations

Debug Console
Network Status

Manage access

Often times it's necessary to limit users' access to resources, like channels or user metadata, within your application. For instance, you can set up a one-to-one chat room by only allowing two users to send and receive messages in a specific channel.

PubNub's access manager controls client access to resources using time-limited permission tokens. These tokens are granted by PubNub and contain an embedded list of permitted operations for the SDK which has that token. Once PubNub grants a token, it's added to the client SDK's configuration and is sent with every SDK call until it expires or is revoked.

Additionally, you may define a single UUID that can use the token. This way, no other UUID can use the token. If the authorized UUID is different than the UUID which sends the request, PubNub will deny the request.

Even though it's PubNub that grants the token, you request that a token be granted using an SDK. However, not every SDK instance may request tokens from PubNub. To use the access manager, you must first enable it on the Admin Portal and initialize one of PubNub's SDK using a secretKey. Then, that SDK acts as an intermediary between the clients that request access (SDKs) and PubNub.

Node.js
Android
C#
Python

Go to SDK

const pubnub = new PubNub({
subscribeKey: 'mySubscribeKey',
publishKey: 'myPublishKey',
uuid: 'myUniqueUUID',
secretKey: 'mySecretKey'
});

Go to SDK

PNConfiguration pn_config = new PNConfiguration();
pn_config.setPublishKey("myPublishKey");
pn_config.setSubscribeKey("mySubscribeKey");
pn_config.setUUID("myUniqueUUID");
pn_config.setSecretKey("mySecretKey");

PubNub pubnub = new PubNub(pn_config);

Go to SDK

PNConfiguration pnconfig = new PNConfiguration();
pnconfig.SubscribeKey = "mySubscribeKey";
pnconfig.PublishKey = "myPublishKey";
pnconfig.SecretKey = "mySecretKey";
pnconfig.Uuid = "myUniqueUuid";
Pubnub pubnub = new Pubnub(pnconfig);

Go to SDK

pn_config = PNConfiguration()
pn_config.publish_key = "my_publish_key"
pn_config.subscribe_key = "my_subscribe_key"
pn_config.uuid = "my_unique_uuid"
pn_config.secret_key = "my_secret_key"

pubnub = PubNub(pn_config)

To issue a grant request, you must make a call from the client SDK, which is the client that wants to have access, to the server SDK, which is the intermediary between clients and PubNub.

The code below grants the thomas_anderson UUID read access to channel-a and read/write access to channel-b, channel-c, and uuid-d for 15 minutes.

Node.js
Android
C#
Python

Go to SDK

pubnub.grantToken(
{
ttl: 15,
authorized_uuid: "thomas_anderson",
resources: {
channels: {
"channel-a": {
read: true
},
"channel-b": {
read: true,
write: true
},
"channel-c": {
read: true,
write: true
}
},
uuids: {
"uuid-d": {
get: true,
update: true
}
}
}
},
function (status, token) {
console.log(token)
});

Go to SDK

pubnub.grantToken()
.ttl(15)
.authorizedUUID("thomas_anderson")
.channels(Arrays.asList(
ChannelGrant.name("channel-a").read(),
ChannelGrant.name("channel-b").read().write(),
ChannelGrant.name("channel-c").read().write(),
.uuids(Arrays.asList(
UUIDGrant.id("uuid-d").get().update()))
.async(new PNCallback<PNGrantTokenResult>() {
@Override
public void onResponse(@Nullable PNGrantTokenResult result, @NotNull PNStatus status) {
if (status.error()) {
// Handle error
}
else {
// Handle result
}
}
}).sync();

Go to SDK

PNResult<PNAccessManagerTokenResult> grantTokenResponse = await pubnub.GrantToken()
.TTL(15)
.AuthorizedUuid("thomas_anderson")
.Resources(new PNTokenResources()
{
Channels = new Dictionary<string, PNTokenAuthValues>() {
{ "channel-a", new PNTokenAuthValues() { Read = true } },
{ "channel-b", new PNTokenAuthValues() { Read = true, Write = true } },
{ "channel-c", new PNTokenAuthValues() { Read = true, Write = true } },
Uuids = new Dictionary<string, PNTokenAuthValues>() {
{ "uuid-d", new PNTokenAuthValues() { Get = true, Update = true } }}
})
.ExecuteAsync();
PNAccessManagerTokenResult grantTokenResult = grantTokenResponse.Result;
PNStatus grantTokenStatus = grantTokenResponse.Status;
if (!grantTokenStatus.Error && grantTokenResult != null)
{
Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenResult));
}
else
{
Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenStatus));
}

Go to SDK

channels = [
Channel.id("channel-a").read(),
Channel.id("channel-b").read().write(),
Channel.id("channel-c").read().write(),
]
uuids = [
UUID.id("uuid-d").get().update()
]
envelope = pubnub.grant_token()
.channels(channels)
.ttl(15)
.channel_groups(channel_groups)
.uuids(uuids)
.authorized_uuid("thomas_anderson")
.sync()

When you grant permissions, you don't have to manually input every resource you want to grant or change access to. With a single call, you may grant access to multiple channels, channel groups, and UUID metadata using RegEx.

It's worth noting that PubNub allows you to add custom business logic on the server-side as well.

← Add custom metadataAdd serverless business logic →
© PubNub Inc. - Privacy Policy