Banning users on channels

If you enable Access Manager on your keyset in the Admin Portal, you automatically disable default access to channels, channel groups, and other users' metadata until these are specifically granted. You can additionally restrict this access by authorizing only one user (authorizedUserId) to perform certain operations on selected resources.

Updating access level

Once a user is given read or write permissions, they will continue to have them until the ttl (time-to-live for the token) set in the grant token request expires or the token is revoked. You can override existing access to PubNub resources by requesting the server for a new token with changed permissions and using this token in all subsequent requests. Previous access will be removed once the original token expires. For this reason, it's recommended to use short-lived tokens with ttl between 10 and 60 minutes.

If you granted user-1 write access to channel-a and channel-b as seen in this example, you can use the code below to update their access level by, for example, removing the write permissions to both channels. Note that once the server returns the new token, you must update the token used by your client. For more information on setting tokens on the client, refer to Managing user permissions.

ttl: 15,
authorizedUserId: "user-1",
resources: {
spaces: {
"channel-a": {
read: true,
write: false
"channel-b": {
read: true,
write: false
show all 20 lines

Revoking all permissions

If you want to ban a user by removing all permissions associated with their token, you can revoke it entirely. This means that all calls to any PubNub API that use a revoked token will fail with a 403 Revoked Token error, effectively prohibiting the user from accessing any resources.

Enable token revoke

To revoke tokens, you must first enable this feature on the Admin Portal. To do that, navigate to your app's keyset and mark the Revoke v3 Token checkbox in the ACCESS MANAGER section.

try {
const token = await pubnub.revokeToken({
token: "p0AkFl043rhDdHRsple3KgQ3NwY6BDcENnctokenVzcqBDczaWdYIGOAeTyWGJI"
} catch (status) {

For more details about revoking tokens, refer to the Access Manager document.

Last updated on