---
source_url: https://www.pubnub.com/docs/chat/unity-chat-sdk/learn/access-control
title: Access control & data security
updated_at: 2026-05-29T11:08:46.058Z
---

> Documentation Index
> For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt
> For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt


# Access control & data security

Control who can access resources in your chat app through authentication (identity verification) and authorization (permission management).

:::warning Required keyset configuration
To use the
[GetChannels()](https://www.pubnub.com/docs/chat/unity-chat-sdk/build/features/channels/list)
,
[GetChannelSuggestions()](https://www.pubnub.com/docs/chat/unity-chat-sdk/build/features/channels/references)
,
[GetUsers()](https://www.pubnub.com/docs/chat/unity-chat-sdk/build/features/users/list)
, and
[GetUserSuggestions()](https://www.pubnub.com/docs/chat/unity-chat-sdk/build/features/users/mentions)
methods in the Chat SDKs with Access Manager, you must uncheck the
Disallow Get All Channel Metadata
and
Disallow Get All User Metadata
checkboxes in the App Context section of your keyset configuration in the
[Admin Portal](https://admin.pubnub.com)
.
:::

## Custom origin

A custom origin is a subdomain configured specifically for your application, such as `abc.pubnubapi.com`. Using a custom origin allows PubNub to route traffic uniquely for your application. Set this in the `PNConfiguration` object during initialization.

:::note Contact support
To request a custom origin, [contact PubNub Support](https://support.pubnub.com/).
:::

## User authentication

Authentication verifies user identity. The Chat SDK does not include built-in authentication. Implement your own system using:

* Username/password login
* Token-based authentication
* Single Sign-On (SSO)
* Two-factor authentication (2FA)
* OAuth or external identity providers

## User authorization

Authorization controls what authenticated users can do. Use [Access Manager](https://www.pubnub.com/docs/general/security/access-control) to:

* Grant or deny access to channels and users
* Define [permissions](https://www.pubnub.com/docs/chat/unity-chat-sdk/build/features/users/permissions) for reading, writing, and managing data
* Protect private channels and user metadata

For details on client-server-PubNub interactions, see the [authorization workflow](https://www.pubnub.com/docs/general/security/access-control#authorization-flow).

:::note Enable Access Manager
Enable Access Manager on your keyset in the [Admin Portal](https://admin.pubnub.com/) and initialize the Chat SDK with `SecretKey`. Access Manager is available in [Unity SDK](https://www.pubnub.com/docs/sdks/unity/api-reference/access-manager), not Unity Chat SDK.
:::

## Token permissions

When you use Access Manager, your client application will receive a token that governs the access levels and types of operations you can perform. The `CanI()` method checks if a client has permissions to perform a specific action on a given resource.

### Method signature

```csharp
Chat.ChatAccessManager.CanI(
    PubnubAccessPermission permission,
    PubnubAccessResourceType resourceType,
    string resourceName
)
```

#### Input

| Parameter | Type | Required | Default | Description |
| --- | --- | --- | --- | --- |
| permission | PubnubAccessPermission | Yes |  | The operation type to check if the current user has permissions for. |
| resourceType | PubnubAccessResourceType | Yes |  | The resource type to check if the current user has permissions for. |
| resourceName | string | Yes |  | The name of the resource, for example, a channel name or a user ID. |

* PubnubAccessPermission 1public enum PubnubAccessPermission2{3 Read, 4 Write, 5 Manage, 6 Delete, 7 Get, 8 Join, 9 Update10}
* PubnubAccessResourceType 1 public enum PubnubAccessResourceType2 {3 Uuids, 4 Channels5 }

#### Output

| Parameter | Description |
| --- | --- |
| `Task<bool>` | An awaitable `Task` with a `bool` signifying whether or not the client has permissions to perform the requested operation on the requested resource. |

### Sample code

Check if the current user can send messages to the `support` channel.

```csharp
using System.Threading.Tasks;
using PubnubApi;
using PubnubChatApi;
using UnityEngine;

// Configuration
PubnubChatConfig chatConfig = new PubnubChatConfig();
        
PNConfiguration pnConfiguration = new PNConfiguration(new UserId("myUniqueUserId"))
{
    SubscribeKey = "demo",
    PublishKey = "demo",
    Secure = true
};

// Initialize Unity Chat
var chatResult = await UnityChat.CreateInstance(chatConfig, pnConfiguration);
if (!chatResult.Error)
{
    chat = chatResult.Result;
}
var pnConfiguration = new PNConfiguration(new UserId("UserId"))
{
    PublishKey = "PublishKey",
    SubscribeKey = "SubscribeKey",
    AuthKey = "AuthKey"
};

var chatConfig = new PubnubChatConfig();
var chatResult = await Chat.CreateInstance(chatConfig, pnConfiguration);
if (chatResult.Error)
{
    Debug.Log("Failed to create chat instance");
    return;
}
var chat = chatResult.Result;

// get the ChatAccessManager instance
var chatAccessManager = chat.ChatAccessManager;

// define the permissions, resource type, and resource name
PubnubAccessPermission permissionToCheck = PubnubAccessPermission.Write;
PubnubAccessResourceType resourceTypeToCheck = PubnubAccessResourceType.Channels;
string channelName = "support";

// check if the current user can send (write) messages to the 'support' channel
bool canSendMessage = await chatAccessManager.CanI(permissionToCheck, resourceTypeToCheck, channelName);

// output the result
if (canSendMessage)
{
    Debug.Log("The current user has permission to send messages to the 'support' channel.");
}
else
{
    Debug.Log("The current user does not have permission to send messages to the 'support' channel.");
}
```

## Token management

The `Chat` object's `PubnubInstance` contains methods for managing the auth token of an initialized `Chat` instance.

### Set token

The `SetAuthToken()` method allows client devices to update their authentication token. This token, granted by the server, contains embedded permissions that define the client's access to PubNub resources. By setting a new token, the client ensures that its requests to PubNub are authorized according to the permissions specified in the updated token.

#### Method signature

```csharp
chat.PubnubInstance.SetAuthToken(string token)
```

#### Input

| Parameter | Description |
| --- | --- |
| `token` *Type: `string` | The authentication token with embedded permissions. |

#### Sample code

```csharp
using System.Threading.Tasks;
using PubnubApi;
using PubnubChatApi;
using UnityEngine;

// Configuration
PubnubChatConfig chatConfig = new PubnubChatConfig();
        
PNConfiguration pnConfiguration = new PNConfiguration(new UserId("myUniqueUserId"))
{
    SubscribeKey = "demo",
    PublishKey = "demo",
    Secure = true
};

// Initialize Unity Chat
var chatResult = await UnityChat.CreateInstance(chatConfig, pnConfiguration);
if (!chatResult.Error)
{
    chat = chatResult.Result;
}
var pnConfiguration = new PNConfiguration(new UserId("UserId"))
{
    PublishKey = "PublishKey",
    SubscribeKey = "SubscribeKey"
};
var chatConfig = new PubnubChatConfig();
var chatResult = await Chat.CreateInstance(chatConfig, pnConfiguration);
if (chatResult.Error)
{
    Debug.Log("Failed to create chat instance");
    return;
}
var chat = chatResult.Result;

// Set a new authentication token
chat.PubnubInstance.SetAuthToken("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI");
```

#### Returns

This method does not return any response value. If the operation fails, an exception will be thrown.

### Parse token

The `ParseToken()` method decodes an existing token and returns a JSON string containing the permissions embedded in that token. This method is useful for debugging purposes, allowing you to inspect the token's permissions and other metadata, such as its time-to-live (TTL) and authorized user ID.

#### Method signature

```csharp
chat.PubnubInstance.ParseToken(string token)
```

#### Input

| Parameter | Description |
| --- | --- |
| `token` *Type: `string` | The authentication token to decode. |

#### Output

| Parameter | Description |
| --- | --- |
| `result`Type: `string` | A JSON string containing the token's permissions and metadata. |

#### Sample code

```csharp
using System.Threading.Tasks;
using PubnubApi;
using PubnubChatApi;
using UnityEngine;

// Configuration
PubnubChatConfig chatConfig = new PubnubChatConfig();
        
PNConfiguration pnConfiguration = new PNConfiguration(new UserId("myUniqueUserId"))
{
    SubscribeKey = "demo",
    PublishKey = "demo",
    Secure = true
};

// Initialize Unity Chat
var chatResult = await UnityChat.CreateInstance(chatConfig, pnConfiguration);
if (!chatResult.Error)
{
    chat = chatResult.Result;
}
var pnConfiguration = new PNConfiguration(new UserId("UserId"))
{
    PublishKey = "PublishKey",
    SubscribeKey = "SubscribeKey"
};
var chatConfig = new PubnubChatConfig();
var chatResult = await Chat.CreateInstance(chatConfig, pnConfiguration);
if (chatResult.Error)
{
    Debug.Log("Failed to create chat instance");
    return;
}
var chat = chatResult.Result;

// Parse an existing token
var tokenDetails = chat.PubnubInstance.ParseToken("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI");

// Output the token details
Debug.Log("Token Details: " + chat.PubnubInstance.JsonPluggableLibrary.SerializeToJsonString(tokenDetails));
```

#### Example output

```json
{
    "Version":2,
    "Timestamp":1619718521,
    "TTL":15,
    "AuthorizedUuid":"my_uuid",
    "Resources":{
        "Uuids":{
          "uuid-id":{
                "Read":true,
                "Write":true,
                "Manage":true,
                "Delete":true,
                "Get":true,
                "Update":true,
                "Join":true
          }
        },
        "Channels":{
          "channel-id":{         
                "Read":true,
                "Write":true,
                "Manage":true,
                "Delete":true,
                "Get":true,
                "Update":true,
                "Join":true
          }
        }
    },
    "Patterns":{
        "Channels":{
          "channel-pattern":{         
                "Read":true,
                "Write":true,
                "Manage":true,
                "Delete":true,
                "Get":true,
                "Update":true,
                "Join":true
          }
        }
    }
}
```

## Operations-to-permissions mapping

The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, `write` access given to a user for the `channels` resource type (either specific channels or channel `patterns`) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Unreal Chat SDK's `SendText()` method).

:::tip Chat SDK method to required Access Manager permission mapping
For information about which Chat SDK methods require what Access Manager permissions, refer to [Security and permissions](https://www.pubnub.com/docs/chat/security#operations-to-permissions-mapping).
:::