Access control & data security
Control who can access resources in your chat app through authentication (identity verification) and authorization (permission management).
Required keyset configuration
Custom origin
A custom origin is a subdomain configured specifically for your application, such as abc.pubnubapi.com. Using a custom origin allows PubNub to route traffic uniquely for your application.
Contact support
To request a custom origin, contact PubNub Support.
Set origin
The SetPubnubOrigin() method in Unreal Chat SDK allows client devices to configure a custom origin for their PubNub requests.
Method signature
1UPubnubAccessManager::SetPubnubOrigin(FString Origin)
Input
| Parameter | Description |
|---|---|
Origin *Type: FString | The custom origin to be set for PubNub requests. |
Output
| Type | Description |
|---|---|
int | 0 if the origin is set successfully, +1 if it will be applied on reconnect, -1 if setting the origin is not enabled. |
Sample code
1#include "Kismet/GameplayStatics.h"
2#include "PubnubChatSubsystem.h"
3#include "PubnubAccessManager.h"
4
5UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
6UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
7UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");
8
9// Get the Access Manager
10UPubnubAccessManager* AccessManager = Chat->GetAccessManager();
11
12// Set a new custom origin
13FString CustomOrigin = "abc.pubnubapi.com";
14int Result = AccessManager->SetPubnubOrigin(CustomOrigin);
15
User authentication
Authentication verifies user identity. The Chat SDK does not include built-in authentication. Implement your own system using:
- Username/password login
- Token-based authentication
- Single Sign-On (SSO)
- Two-factor authentication (2FA)
- OAuth or external identity providers
User authorization
Authorization controls what authenticated users can do. Use Access Manager to:
- Grant or deny access to channels and users
- Define permissions for reading, writing, and managing data
- Protect private channels and user metadata
For details on client-server-PubNub interactions, see the authorization workflow.
Access Manager
Access Manager is available in Unreal SDK, not Unreal Chat SDK.
As long as the tokens with correct permissions are granted and set in the client that uses Unreal Chat SDK, it doesn't matter which SDK grants them.
Token permissions
When you use Access Manager, your client application receives a token that governs access levels and operations. Use the AccessManager->CanI() method to check if a client has permissions for a specific action on a given resource.
Method signature
- Blueprint
- C++ / Input parameters
1AccessManager->CanI(
2 EPubnubAccessManagerPermission Permission, EPubnubAccessManagerResourceType ResourceType,
3 FString ResourceName
4);
| Parameter | Description |
|---|---|
User * | The operation type to check if the current user has permissions for. |
ChannelID * | The resource type to check if the current user has permissions for. |
ResourceName *Type: FString | The name of the resource, for example, a channel name or a user ID. |
EPubnubAccessManagerPermission
| Enum Value | Description |
|---|---|
PAMP_READ | Read permission for a channel. |
PAMP_WRITE | Write permission for a channel. |
PAMP_MANAGE | Manage permission for a channel. |
PAMP_DELETE | Delete permission for a channel. |
PAMP_GET | Permission to get details of a channel. |
PAMP_JOIN | Permission to join a channel. |
PAMP_UPDATE | Permission to update a channel's details. |
EPubnubAccessManagerResourceType
| Enum Value | Description |
|---|---|
PAMRT_UUIDS | Resource type for UUIDs. |
PAMRT_CHANNELS | Resource type for Channels. |
Output
| Type | Description |
|---|---|
bool | Whether or not the client has permissions to perform the requested operation on the requested resource. |
Sample code
Check if the current user can send messages to the customer_XYZ channel.
1#include "Kismet/GameplayStatics.h"
2#include "PubnubChatSubsystem.h"
3#include "PubnubAccessManager.h"
4
5UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
6UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
7UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");
8
9// Get the Access Manager
10UPubnubAccessManager* AccessManager = Chat->GetAccessManager();
11
12// Define the channel name and resource type
13FString ChannelName = "customer_XYZ";
14EPubnubAccessManagerResourceType ResourceType = EPubnubAccessManagerResourceType::PAMRT_CHANNELS;
15
Token management
The UPubnubAccessManager class provides methods for managing authentication tokens.
Set token
Use SetAuthToken() to update the client's authentication token. The token contains embedded permissions that define access to PubNub resources.
Method signature
1void UPubnubAccessManager::SetAuthToken(FString Token)
Input
| Parameter | Description |
|---|---|
Token *Type: FString | The authentication token with embedded permissions. |
Sample code
1#include "Kismet/GameplayStatics.h"
2#include "PubnubChatSubsystem.h"
3#include "PubnubAccessManager.h"
4
5UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
6UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
7UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");
8
9// Get the Access Manager
10UPubnubAccessManager* AccessManager = Chat->GetAccessManager();
11
12// Set a new authentication token
13FString AuthToken = "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI";
14AccessManager->SetAuthToken(AuthToken);
This method does not return any response value. If the operation fails, ensure the token is valid and properly formatted.
Parse token
Use ParseToken() to decode an existing token and inspect its permissions and metadata (TTL, authorized user ID).
Method signature
1FString UPubnubAccessManager::ParseToken(FString Token)
Input
| Parameter | Description |
|---|---|
Token *Type: FString | The authentication token to decode. |
Output
| Type | Description |
|---|---|
FString | A string containing the token's permissions and metadata. |
Sample code
1#include "Kismet/GameplayStatics.h"
2#include "PubnubChatSubsystem.h"
3#include "PubnubAccessManager.h"
4
5UGameInstance* GameInstance = UGameplayStatics::GetGameInstance(ContextObject);
6UPubnubChatSubsystem* PubnubChatSubsystem = GameInstance->GetSubsystem<UPubnubChatSubsystem>();
7UPubnubChat* Chat = PubnubChatSubsystem->InitChat("demo", "demo", "my_user");
8
9// Get the Access Manager
10UPubnubAccessManager* AccessManager = Chat->GetAccessManager();
11
12// Parse an existing token
13FString Token = "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI";
14FString TokenDetails = AccessManager->ParseToken(Token);
15
Example output
The server returns the permissions in a CBOR format. You can Base 64 decode it, and parse with any a CBOR parser.
1{
2 "v":2,
3 "t":1619718521,
4 "ttl":15,
5 "res":{
6 "usr":{},
7 "spc":{},
8 "chan":{{"ch1":19}},
9 "grp":{}
10 },
11 "pat":{
12 "usr":{},
13 "spc":{},
14 "chan":{},
15 "grp":{}
Operations-to-permissions mapping
The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, write access given to a user for the channels resource type (either specific channels or channel patterns) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Unreal Chat SDK's SendText() method).
Chat SDK method to required Access Manager permission mapping
For information about which Chat SDK methods require what Access Manager permissions, refer to Security and permissions.