Permissions

Set rules that let only selected users access specific channels and user metadata. Secure your app against unauthorized access.

The Chat SDK, as a client-side library, imposes some limits through client-side errors:

• Allowed channel membership (direct, group, or public channel types)
• Feature availability in public chats (typing indicator, invites, read receipts)

Use PubNub's Access Manager for strict access rules. The Chat SDK exposes all Kotlin SDK Access Manager methods.

Required configuration

Before you start using Access Manager, you must configure your app:

1. Enable Access Manager on your app's keyset in the Admin Portal.
2. Initialize the Chat SDK (init()):

• With the secretKey on your servers to secure your PubNub instance. secretKey is a shared secret between your application's server and PubNub and it's used to administer Access Manager permissions for your client applications by signing and verifying the authenticity of messages and requests. Read Moderation for examples.

• With the token on your clients to authenticate users in your application and grant them access to PubNub resources (other users' metadata and channels). Read Moderation for examples.

Secret key security

The secretKey should only be used within a secure server and never exposed to client devices. If the secretKey is ever compromised, it can be an extreme security risk to your application. If you suspect your secretKey has been compromised, you can generate a new secretKey for the existing PubNub keyset on the Admin Portal.

Use Access Manager

To implement access rules in your app, refer to Access Manager API using these Kotlin SDK methods:

• chat.pubNub.grantToken() to generate a time-limited authorization token with an embedded access control list.

  Channel group limitation

  Chat SDK doesn't support channel groups, so you can only set permissions for the channels and users. We recommend using a core SDK to manage channel groups.

• chat.pubNub.revokeToken() to disable an existing token and revoke all permissions embedded within.

• chat.pubNub.parseToken() to decode an existing token and return the object containing permissions embedded in that token.

• chat.pubNub.setToken() to update the authentication token granted by the server.

Resource permissions

You can use Access Manager in Chat SDK to define what operations (like read, write, or get) your chat app users can do with such PubNub resources as channels (channels) and other users' metadata (uuids):

Resource type	Permissions
channels	read, write, get, manage, update, join, delete
uuids	get, update, delete

Read the Moderation documentation to learn how you can mute and ban users in your chat app and secure these restrictions with Access Manager.

Example

Grant support-agent the read type of access to a group channel called priority-tickets and write type of access to all public channels. Granted access must expire after 15 minutes.

1chat.pubNub.grantToken(
2    ttl = 15,
3    authorizedUUID = "support-agent",
4    channels = listOf(
5        ChannelGrant.name("priority-tickets", read = true),
6        ChannelGrant.pattern("public.*", write = true)
7    )
8).async {
9    it.onSuccess { token ->
10        // use token
11    }.onFailure {
12        // handle token grant failure
13    }
14}

Operations-to-permissions mapping

The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, write access given to a user for the channels resource type (either specific channels or channel patterns) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Chat SDK's sendText() method).

The following tables show how specific permissions granted to PubNub resources translate to operations users can later perform in a chat app.

Pub/Sub

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Publish on channels	channels	write	Send text messages with links, files, referenced channels, and user mentions (sendText()) Forward messages (forward(), forwardMessage()) Create and send events (emitEvent()) Report messages (report())
Send signals to channels	channels	write	Typing indicator methods Create and send events (emitEvent())
Subscribe to channels	channels	read	Typing indicator methods Receive events (listenForEvents()) Receive messages (connect()) Membership updates (streamUpdates(), streamUpdatesOn()) Channel updates (update(), updateChannel()) Messages updates (streamUpdates(), streamUpdatesOn()) User updates (streamUpdates(), streamUpdatesOn())
Subscribe to presence channels	Presence channels (<channel-name>-pnpres)	read	n/a
Unsubscribe from channels	channels	None required	Stop receiving typing signals, events, messages, updates on membership, channels, messages, and users

Presence

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Here Now	channels	read	Channel presence (whoIsPresent())
Where Now	channels	None required	Channel presence (wherePresent(), isPresentOn(), isPresent())

Message Persistence

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Fetch historical messages	channels	read	getHistory()
Message counts	channels	read	Unread messages (getUnreadMessagesCount(), getUnreadMessagesCounts())
Delete messages	channels	delete	delete()

File sharing

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Send files on channels	channels	write	sendText()
List files	channels	read	getFiles()
Delete files	channels	delete	deleteFile()

App Context

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Set user metadata	uuids	update	Create users (createUser()) Update user metadata (update(), updateUser())
Delete user metadata	uuids	delete	deleteUser(), delete()
Get user metadata	uuids	get	Get user data (getUser())
Get all user metadata	uuids	You don't need to specify permissions to enable it if you uncheck the Disallow Get All User Metadata option in the App Context configuration in the Admin Portal.	chat.getUsers()
Set channel metadata	channels When working with threads, also grant permissions to PUBNUB_INTERNAL_THREAD channels.	update, get	Create channels (createDirectConversation(), createGroupConversation(), createPublicConversation()) Update channels (update(), updateChannel()) Pin messages (pin(), pinMessage()) Threads (createThread(), pinMessage(), pinMessageToParentChannel(), pinToParentChannel(), unpinMessage(), unpinMessageFromParentChannel(), unpinFromParentChannel())
Delete channel metadata	channels	delete	delete(), deleteChannel()
Get channel metadata	channels	get	Get channel details (getChannel()) Get pinned messages (getPinnedMessage()) Get thread (getThread())
Get all channel metadata	channels	You don't need to specify permissions to enable it if you uncheck the Disallow Get All Channel Metadata option in the App Context configuration in the Admin Portal.	chat.getChannels()
Set channel members	channels	manage	Invite multiple users to channels (inviteMultiple()) Mute/Ban users (setRestrictions())
Remove channel members	channels	manage	Unmute/Unban users (setRestrictions())
Get channel members	channels	get	Get members (getMembers()) Check restrictions (getUserRestrictions(), getUsersRestrictions(), getChannelsRestrictions(), getChannelRestrictions())
Set channel memberships	channels, uuids	join on channels update on uuids	Create channels (createDirectConversation(), createGroupConversation()) Invite a user to a channel (invite()) Join channels (join()) Update membership (update()) Unread messages (setLastReadMessage(), markAllMessagesAsRead())
Remove channel memberships	channels, uuids	join on channels update on uuids	Leave channels (leave())
Get channel memberships	uuids	get	List channels (getChannels()), getMemberships()

Mobile Push Notifications

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Register channel for push	channels	read	registerForPush(), registerPushChannels()
Remove channel's push registration	channels	read	unregisterFromPush(), unregisterPushChannels()

Message Reactions

PubNub operation	Resource type(s)	Permission	Chat SDK method(s)
Add message reaction	channels	write	toggleReaction()
Remove message reaction	channels	delete	toggleReaction()
Get history with reactions	channels	read	getHistory()