On this page

Permissions

Control who can access channels and user metadata in your chat app. Define permission schemas to protect against unauthorized access.

Examples:

Restrict channel/profile modifications to specific users
Allow only admins to remove users from channels

Chat SDK limitations (client-side only):

Channel membership restrictions (direct, group, public)
Feature availability errors in public chats (typing indicator, invites, read receipts)

Use Access Manager for strict server-enforced access rules. Chat SDK exposes all JavaScript SDK methods including Access Manager.

Required configuration

Enable Access Manager in the Admin Portal.
Initialize Chat SDK:
- Server: with secretKey to administer permissions
- Client: with authKey to authenticate users

See Moderation for examples.

Secret key security

Never expose secretKey to clients. If compromised, generate a new one in the Admin Portal.

Use Access Manager

Available methods:

chat.sdk.grantToken() - Generate time-limited token with access control list
chat.sdk.revokeToken() - Disable token and revoke permissions
chat.sdk.parseToken() - Decode token to view permissions
chat.sdk.setToken() - Update authentication token

Channel group limitation

Chat SDK doesn't support channel groups. Use a core SDK for channel groups.

Resource permissions

Define operations users can perform on PubNub resources:

Resource type	Permissions
`channels`	`read`, `write`, `get`, `manage`, `update`, `join`, `delete`
`uuids`	`get`, `update`, `delete`

See Moderation for muting/banning with Access Manager.

Example

Grant support-agent the read type of access to a group channel called priority-tickets and write type of access to all public channels. Granted access must expire after 15 minutes.

1try {
  const token = await chat.sdk.grantToken({
      ttl: 15,
      authorized_uuid: "support-agent",
      resources: {
          channels: {
              "priority-tickets": {
                  read: true
              },
          },
      },
      patterns: {
          channels: {
              // wildcard pattern that refers to all channels whose IDs start with the "public" prefix
              "public.*": {
                  write: true
              }
          }
      }
  });
21} catch (status) {
  console.log(status);
23}
show all 23 lines

Operations-to-permissions mapping

Access levels determine user operations. Example: write on channels allows sending messages via sendText().

The tables below map permissions to Chat SDK operations.

Pub/Sub

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Publish on channels	`channels`	`write`	Send text messages (`sendText()`) Send messages with referenced channels and user mentions (`send()`) Forward messages (`forward()`, `forwardMessage()`) Create and send events (`emitEvent()`) Report messages (`report()`)
Send signals to channels	`channels`	`write`	Typing indicator methods Create and send events (`emitEvent()`)
Subscribe to channels	`channels`	`read`	Typing indicator methods Receive events (`listenForEvents()`) Receive messages (`connect()`) Membership updates (`streamUpdates()`, `streamUpdatesOn()`) Channel updates (`update()`, `updateChannel()`) Messages updates (`streamUpdates()`, `streamUpdatesOn()`) User updates (`streamUpdates()`, `streamUpdatesOn()`)
Subscribe to presence channels	Presence channels (`<channel-name>-pnpres`)	`read`	n/a
Unsubscribe from channels	`channels`	None required	Stop receiving typing signals, events, messages, updates on membership, channels, messages, and users

Presence

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Here Now	`channels`	`read`	Channel presence (`whoIsPresent()`)
Where Now	`channels`	None required	Channel presence (`wherePresent()`, `isPresentOn()`, `isPresent()`)

Message Persistence

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Fetch historical messages	`channels`	`read`	`getHistory()`
Message counts	`channels`	`read`	Unread messages (`getUnreadMessagesCount()`, `fetchUnreadMessagesCounts()`)
Delete messages	`channels`	`delete`	`delete()`

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Send files on channels	`channels`	`write`	`sendText()`
List files	`channels`	`read`	`getFiles()`
Delete files	`channels`	`delete`	`deleteFile()`

App Context

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Set user metadata	`uuids`	`update`	Create users (`createUser()`) Update user metadata (`update()`, `updateUser()`)
Delete user metadata	`uuids`	`delete`	`deleteUser()`, `delete()`
Get user metadata	`uuids`	`get`	Get user data (`getUser()`) Track mentions (`onChange()`)
Get all user metadata	`uuids`	You don't need to specify permissions to enable it if you uncheck the `Disallow Get All User Metadata` option in the App Context configuration in the Admin Portal.	`chat.getUsers()`
Set channel metadata	`channels` When working with threads, also grant permissions to PUBNUB_INTERNAL_THREAD channels.	`update`, `get`	Create channels (`createDirectConversation()`, `createGroupConversation()`, `createPublicConversation()`) Update channels (`update()`, `updateChannel()`) Pin messages (`pin()`, `pinMessage()`) Threads (`createThread()`, `pinMessage()`, `pinMessageToParentChannel()`, `pinToParentChannel()`, `unpinMessage()`, `unpinMessageFromParentChannel()`, `unpinFromParentChannel()`)
Delete channel metadata	`channels`	`delete`	`delete()`, `deleteChannel()`
Get channel metadata	`channels`	`get`	Get channel details (`getChannel()`) Get pinned messages (`getPinnedMessage()`) Get thread (`getThread()`)
Get all channel metadata	`channels`	You don't need to specify permissions to enable it if you uncheck the `Disallow Get All Channel Metadata` option in the App Context configuration in the Admin Portal.	`chat.getChannels()`
Set channel members	`channels`	`manage`	Invite multiple users to channels (`inviteMultiple()`) Mute/Ban users (`setRestrictions()`)
Remove channel members	`channels`	`manage`	Unmute/Unban users (`setRestrictions()`)
Get channel members	`channels`	`get`	Get members (`getMembers()`) Check restrictions (`getUserRestrictions()`, `getUsersRestrictions()`, `getChannelsRestrictions()`, `getChannelRestrictions()`)
Set channel memberships	`channels`, `uuids`	`join` on `channels` `update` on `uuids`	Create channels (`createDirectConversation()`, `createGroupConversation()`) Invite a user to a channel (`invite()`) Join channels (`join()`) Update membership (`update()`) Unread messages (`setLastReadMessage()`, `markAllMessagesAsRead()`)
Remove channel memberships	`channels`, `uuids`	`join` on `channels` `update` on `uuids`	Leave channels (`leave()`)
Get channel memberships	`uuids`	`get`	List channels (`getChannels()`), `getMemberships()`

Mobile Push Notifications

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Register channel for push	`channels`	`read`	`registerForPush()`, `registerPushChannels()`
Remove channel's push registration	`channels`	`read`	`unregisterFromPush()`, `unregisterPushChannels()`

Message Reactions

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Add message reaction	`channels`	`write`	`toggleReaction()`
Remove message reaction	`channels`	`delete`	`toggleReaction()`
Get history with reactions	`channels`	`read`	`getHistory()`

Required configuration​

Secret key security

Use Access Manager​

Channel group limitation

Resource permissions​

Example​

Operations-to-permissions mapping​

Pub/Sub​

Presence​

Message Persistence​

File sharing​

App Context​

Mobile Push Notifications​

Message Reactions​