--- source_url: https://www.pubnub.com/docs/chat/chat-sdk/learn/access-control title: Access control & data security updated_at: 2026-06-25T07:46:07.539Z --- > Documentation Index > For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt > For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt # Access control & data security Control who can access resources in your chat app through authentication (identity verification) and authorization (permission management). :::warning Required keyset configuration To use the [getChannels()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/channels/list) , [getChannelSuggestions()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/channels/references) , [getUsers()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/users/list) , and [getUserSuggestions()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/users/mentions) methods in the Chat SDKs with Access Manager, you must uncheck the Disallow Get All Channel Metadata and Disallow Get All User Metadata checkboxes in the App Context section of your keyset configuration in the [Admin Portal](https://admin.pubnub.com) . ::: ## User authentication Authentication verifies user identity. The Chat SDK does not include built-in authentication. Implement your own system using: * Username/password login * Token-based authentication * Single Sign-On (SSO) * Two-factor authentication (2FA) * OAuth or external identity providers ## User authorization Authorization controls what authenticated users can do. Use [Access Manager](https://www.pubnub.com/docs/general/security/access-control) to: * Grant or deny access to channels and users * Define [permissions](https://www.pubnub.com/docs/chat/chat-sdk/build/features/users/permissions) for reading, writing, and managing data * Protect private channels and user metadata For details on client-server-PubNub interactions, see the [authorization workflow](https://www.pubnub.com/docs/general/security/access-control#authorization-flow). :::note Enable Access Manager Enable Access Manager on your keyset in the [Admin Portal](https://admin.pubnub.com/) and initialize the Chat SDK with `secretKey` (server-side) or `authKey` (client-side). ::: ## Data security Encrypt messages and files using AES-CBC 256-bit encryption ([CBC block cipher mode](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation)). :::warning Platform support The crypto module works with web applications and Node.js. React Native is not supported. ::: ### Enable encryption 1. Import `CryptoModule` from `@pubnub/chat` 2. Add `cryptoModule` to your [configuration](https://www.pubnub.com/docs/chat/chat-sdk/build/configuration#initialize-pubnub) 3. Set a `cipherKey` for encryption/decryption ```ts // you need to import CryptoModule import {Chat, CryptoModule} from "@pubnub/chat" const chat = Chat.init({ publishKey: "demo", subscribeKey: "demo", userId: "myUniqueUserId", cryptoModule: CryptoModule.aesCbcCryptoModule({cipherKey: "pubnubEnigma"}) }) ``` Once you registered a crypto module in the configuration, you don't have to explicitly specify it in any method as they are automatically added to methods when: * Encrypting messages with files when they are sent ([sendText()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/messages/send-receive#send)). * Decrypting messages with files both when they are received ([connect()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/messages/send-receive#receive)) and retrieved from history ([getHistory()](https://www.pubnub.com/docs/chat/chat-sdk/build/features/messages/history)). The Chat SDK automatically encrypts message and file data before it's uploaded to the storage service. The receiving client decrypts the data upon receiving it using the same key before it is displayed in the end-user application. If you didn't use the correct cipher key to decrypt the message (for example, you changed the encryption cipher key), you'll get an `Error while decrypting message content: {details}` error. This error is added as a value to the `error` field in the received [message](https://www.pubnub.com/docs/chat/chat-sdk/learn/chat-entities/message) instance. In such cases, you can do the following: * Manually decrypt the message or file using our [decrypt() utility method](https://www.pubnub.com/docs/chat/chat-sdk/build/features/utility-methods#decrypt-messagesfiles) and the original cipher key that you used to encrypt the message. * Set an error fallback message shown to the end-users each time the message cannot be decrypted (otherwise, end-users will see a human-unreadable string instead of a message). ```ts // assuming the CryptoUtils class and its decrypt method are defined // sample history of messages with potential decryption errors const undecryptedMessages = /* ... */; // provide the undecrypted messages here // fallback mechanism for undecrypted messages const decryptedMessagesWithFallback = undecryptedMessages.map((msg) => { if (msg.error && msg.error.startsWith("Error while decrypting message content")) { // fallback for undecrypted messages return { type: "text", files: [], text: "(This message is corrupted or could not be decrypted)", }; } // message is not undecrypted, return as is return msg; }); // use decryptedMessagesWithFallback as needed console.log(decryptedMessagesWithFallback); ``` For a general overview of PubNub encryption/decryption concepts, refer to [Message encryption](https://www.pubnub.com/docs/general/setup/data-security#message-encryption), [File encryption](https://www.pubnub.com/docs/general/setup/data-security#file-encryption), and [JavaScript SDK crypto module](https://www.pubnub.com/docs/sdks/javascript/api-reference/configuration#cryptomodule). ## Operations-to-permissions mapping The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, `write` access given to a user for the `channels` resource type (either specific channels or channel `patterns`) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Chat SDK's `SendText()` method). :::tip Chat SDK method to required Access Manager permission mapping For information about which Chat SDK methods require what Access Manager permissions, refer to [Security and permissions](https://www.pubnub.com/docs/chat/security#operations-to-permissions-mapping). :::