Permissions

When you develop a chat app, you might want to set rules that let only selected users access specific channels and user metadata. You can set up a detailed permission schema for your application and decide who can do what with your data. This way, you secure and protect your application against unauthorized third-party access attempts.

For example, you can let only specific users modify public channel information or profiles of other chat users. You can also let only admins remove users from channels for offensive behavior.

Chat SDK, as a purely client-side library, doesn't do anything specific to handle such permissions internally, apart from imposing some limits through client-side errors:

The allowed channel membership (direct, group, or public channel types).
Availability of specific features in public chats (you'll get errors when implementing such Chat SDK features as typing indicator, invites, or read receipts).

Still, you can use the cryptographic, token-based permission administrator from PubNub called Access Manager to impose strict access rules for PubNub resources in your app.

Chat SDK is based on the JavaScript SDK, and you can easily access all methods the JavaScript SDK exposes. The same applies to all the Access Manager-related methods.

Required configuration

Before you start using Access Manager, you must configure your app:

Enable Access Manager on your app's keyset in the Admin Portal.
Initialize the Chat SDK (init()):

With the secretKey on your servers to secure your PubNub instance. secretKey is a shared secret between your application's server and PubNub and it's used to administer Access Manager permissions for your client applications by signing and verifying the authenticity of messages and requests. Read Moderation for examples.
With the authKey on your clients to authenticate users in your application and grant them access to PubNub resources (other users' metadata and channels). Read Moderation for examples.

Secret key security

The secretKey should only be used within a secure server and never exposed to client devices. If the secretKey is ever compromised, it can be an extreme security risk to your application. If you suspect your secretKey has been compromised, you can generate a new secretKey for the existing PubNub keyset on the Admin Portal.

Use Access Manager

To implement access rules in your app, refer to Access Manager API using these JavaScript SDK methods:

chat.sdk.grantToken() to generate a time-limited authorization token with an embedded access control list.

Channel group limitation
Chat SDK doesn't support channel groups, so you can only set permissions for the channels and users.
chat.sdk.revokeToken() to disable an existing token and revoke all permissions embedded within.
chat.sdk.parseToken() to decode an existing token and return the object containing permissions embedded in that token.
chat.sdk.setToken() to update the authentication token granted by the server.

Resource permissions

You can use Access Manager in Chat SDK to define what operations (like read, write, or get) your chat app users can do with such PubNub resources as channels (channels) and other users' metadata (uuids):

Resource type	Permissions
`channels`	`read`, `write`, `get`, `manage`, `update`, `join`, `delete`
`uuids`	`get`, `update`, `delete`

Read the Moderation documentation to learn how you can mute and ban users in your chat app and secure these restrictions with Access Manager.

Example

Grant support-agent the read type of access to a group channel called priority-tickets and write type of access to all public channels. Granted access must expire after 15 minutes.

try {
    const token = await chat.sdk.grantToken({
        ttl: 15,
        authorized_uuid: "support-agent",
        resources: {
            channels: {
                "priority-tickets": {
                    read: true
                },
            },
        },
        patterns: {
            channels: {
                // wildcard pattern that refers to all channels whose IDs start with the "public" prefix
                "public.*": {
show all 23 lines

Operations-to-permissions mapping

The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, write access given to a user for the channels resource type (either specific channels or channel patterns) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Chat SDK's sendText() method).

The following tables show how specific permissions granted to PubNub resources translate to operations users can later perform in a chat app.

Pub/Sub

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Publish on channels	`channels`	`write`	Send text messages (`sendText()`) Send messages with referenced channels and user mentions (`send()`) Forward messages (`forward()`, `forwardMessage()`) Create and send events (`emitEvent()`) Report users/messages (`report()`)
Send signals to channels	`channels`	`write`	Typing indicator methods Create and send events (`emitEvent()`)
Subscribe to channels	`channels`	`read`	Typing indicator methods Receive events (`listenForEvents()`) Receive messages (`connect()`) Membership updates (`streamUpdates()`, `streamUpdatesOn()`) Channel updates (`update()`, `updateChannel()`) Messages updates (`streamUpdates()`, `streamUpdatesOn()`) User updates (`streamUpdates()`, `streamUpdatesOn()`)
Subscribe to presence channels	Presence channels (`<channel-name>-pnpres`)	`read`	n/a
Unsubscribe from channels	`channels`	None required	Stop receiving typing signals, events, messages, updates on membership, channels, messages, and users

Presence

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Here Now	`channels`	`read`	Channel presence (`whoIsPresent()`)
Where Now	`channels`	None required	Channel presence (`wherePresent()`, `isPresentOn()`, `isPresent()`)

Message Persistence

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Fetch historical messages	`channels`	`read`	`getHistory()`
Message counts	`channels`	`read`	Unread messages (`getUnreadMessagesCount()`, `getUnreadMessagesCounts()`)
Delete messages	`channels`	`delete`	`delete()`

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Send files on channels	`channels`	`write`	`sendText()`
List files	`channels`	`read`	`getFiles()`
Delete files	`channels`	`delete`	`deleteFile()`

App Context

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Set user metadata	`uuids`	`update`	Create users (`createUser()`) Update user metadata (`update()`, `updateUser()`)
Delete user metadata	`uuids`	`delete`	`deleteUser()`, `delete()`
Get user metadata	`uuids`	`get` For channel references to work with Access Manager enabled on your app's keyset, make sure the `Disallow Get All Channel Metadata` option for App Context on the Admin Portal is not selected.	Get user data (`getUser()`) Track mentions and channel references (`onChange()`)
Get all user metadata	`uuids`	Granted by default by enabling App Context on the app's keyset on the Admin Portal. The `Disallow Get All User Metadata` option disables it.	`chat.getUsers()`
Set channel metadata	`channels` When working with threads, also grant permissions to PUBNUB_INTERNAL_THREAD channels.	`update`, `get`	Create channels (`createDirectConversation()`, `createGroupConversation()`, `createPublicConversation()`) Update channels (`update()`, `updateChannel()`) Pin messages (`pin()`, `pinMessage()`) Threads (`createThread()`, `pinMessage()`, `pinMessageToParentChannel()`, `pinToParentChannel()`, `unpinMessage()`, `unpinMessageFromParentChannel()`, `unpinFromParentChannel()`)
Delete channel metadata	`channels`	`delete`	`delete()`, `deleteChannel()`
Get channel metadata	`channels`	`get`	Get channel details (`getChannel()`) Get pinned messages (`getPinnedMessage()`) Get thread (`getThread()`)
Get all channel metadata	`channels`	Granted by default by enabling App Context on the app's keyset on the Admin Portal. The `Disallow Get All Channel Metadata` option disables it.	`chat.getChannels()`
Set channel members	`channels`	`manage`	Invite multiple users to channels (`inviteMultiple()`) Mute/Ban users (`setRestrictions()`)
Remove channel members	`channels`	`manage`	Unmute/Unban users (`setRestrictions()`)
Get channel members	`channels`	`get`	Get members (`getMembers()`) Check restrictions (`getUserRestrictions()`, `getUsersRestrictions()`, `getChannelsRestrictions()`, `getChannelRestrictions()`)
Set channel memberships	`channels`, `uuids`	`join` on `channels` `update` on `uuids`	Create channels (`createDirectConversation()`, `createGroupConversation()`) Invite a user to a channel (`invite()`) Join channels (`join()`) Update membership (`update()`) Unread messages (`setLastReadMessage()`, `markAllMessagesAsRead()`)
Remove channel memberships	`channels`, `uuids`	`join` on `channels` `update` on `uuids`	Leave channels (`leave()`)
Get channel memberships	`uuids`	`get`	List channels (`getChannels()`), `getMemberships()`

Mobile Push Notifications

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Register channel for push	`channels`	`read`	`registerForPush()`, `registerPushChannels()`
Remove channel's push registration	`channels`	`read`	`unregisterFromPush()`, `unregisterPushChannels()`

Message Reactions

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Add message reaction	`channels`	`write`	`toggleReaction()`
Remove message reaction	`channels`	`delete`	`toggleReaction()`
Get history with reactions	`channels`	`read`	`getHistory()`

Required configuration​

Secret key security

Use Access Manager​

Channel group limitation

Resource permissions​

Example​

Operations-to-permissions mapping​

Pub/Sub​

Presence​

Message Persistence​

File Sharing​

App Context​

Mobile Push Notifications​

Message Reactions​