--- source_url: https://www.pubnub.com/docs/chat/unreal-chat-sdk/learn/access-control title: Access control & data security updated_at: 2026-06-25T17:02:31.227Z --- > Documentation Index > For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt > For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt # Access control & data security Control who can access resources in your chat app through authentication (identity verification) and authorization (permission management). :::warning Required keyset configuration To use the [GetChannels()](https://www.pubnub.com/docs/chat/unreal-chat-sdk/build/features/channels/list) , [GetChannelSuggestions()](https://www.pubnub.com/docs/chat/unreal-chat-sdk/build/features/channels/references) , [GetUsers()](https://www.pubnub.com/docs/chat/unreal-chat-sdk/build/features/users/list) , and [GetUserSuggestions()](https://www.pubnub.com/docs/chat/unreal-chat-sdk/build/features/users/mentions) methods in the Chat SDKs with Access Manager, you must uncheck the Disallow Get All Channel Metadata and Disallow Get All User Metadata checkboxes in the App Context section of your keyset configuration in the [Admin Portal](https://admin.pubnub.com) . ::: ## Custom origin A custom origin is a subdomain configured specifically for your application, such as `abc.pubnubapi.com`. Using a custom origin allows PubNub to route traffic uniquely for your application. :::note Contact support To request a custom origin, [contact PubNub Support](https://support.pubnub.com/). ::: ### Set origin The `SetPubnubOrigin()` method in Unreal Chat SDK allows client devices to configure a custom `origin` for their PubNub requests. #### Method signature ```cpp UPubnubChatAccessManager::SetPubnubOrigin(FString Origin) ``` #### Input | Parameter | Type | Required | Default | Description | | --- | --- | --- | --- | --- | | Origin | FString | Yes | | The custom origin to be set for PubNub requests. | #### Output | Type | Description | | --- | --- | | `int` | `0` if the origin is set successfully, `+1` if it will be applied on reconnect, `-1` if setting the origin is not enabled. | #### Sample code ###### Actor.h ```cpp UFUNCTION(BlueprintCallable, Category = "PubnubChat|Samples|Chat|Access Manager") void AccessManagerSetOriginSample(); ``` ###### Actor.cpp ```cpp #include "PubnubChatAccessManager.h" // ACTION REQUIRED: Replace ASample_Chat with name of your Actor class void ASample_Chat::AccessManagerSetOriginSample() { // snippet.hide UPubnubChat* Chat = nullptr; // snippet.show // Assumes Chat is a valid and initialized instance of UPubnubChat UPubnubChatAccessManager* AccessManager = Chat->GetAccessManager(); FString CustomOrigin = "abc.pubnubapi.com"; int Result = AccessManager->SetPubnubOrigin(CustomOrigin); if (Result == 0) { UE_LOG(LogTemp, Log, TEXT("Custom origin set successfully.")); } else if (Result == 1) { UE_LOG(LogTemp, Log, TEXT("Custom origin will be applied on reconnect.")); } else { UE_LOG(LogTemp, Warning, TEXT("Setting custom origin is not enabled.")); } } ``` ### Get origin The `GetPubnubOrigin()` method returns the current PubNub origin (host) used by the underlying client. #### Method signature ```cpp UPubnubChatAccessManager::GetPubnubOrigin() ``` #### Output | Type | Description | | --- | --- | | `FString` | The current origin string, or empty if not set. | ## User authentication Authentication verifies user identity. The Chat SDK does not include built-in authentication. Implement your own system using: * Username/password login * Token-based authentication * Single Sign-On (SSO) * Two-factor authentication (2FA) * OAuth or external identity providers ## User authorization Authorization controls what authenticated users can do. Use [Access Manager](https://www.pubnub.com/docs/general/security/access-control) to: * Grant or deny access to channels and users * Define [permissions](https://www.pubnub.com/docs/chat/unreal-chat-sdk/build/features/users/permissions) for reading, writing, and managing data * Protect private channels and user metadata For details on client-server-PubNub interactions, see the [authorization workflow](https://www.pubnub.com/docs/general/security/access-control#authorization-flow). :::warning Access Manager Access Manager is available in [Unreal SDK](https://www.pubnub.com/docs/sdks/unreal), not Unreal Chat SDK. As long as the tokens with correct permissions are granted and set in the client that uses Unreal Chat SDK, it doesn't matter which SDK grants them. ::: ## Token permissions When you use Access Manager, your client application receives a token that governs access levels and operations. Use the `AccessManager->CanI()` method to check if a client has permissions for a specific action on a given resource. ### Method signature ```cpp AccessManager->CanI( EPubnubChatAccessManagerPermission Permission, EPubnubChatAccessManagerResourceType ResourceType, FString ResourceName ); ``` | Parameter | Description | | --- | --- | | `Permission` *Type: [EPubnubChatAccessManagerPermission](#epubnubchataccessmanagerpermission) | The operation type to check if the current user has permissions for. | | `ResourceType` *Type: [EPubnubChatAccessManagerResourceType](#epubnubchataccessmanagerresourcetype) | The resource type to check if the current user has permissions for. | | `ResourceName` *Type: `FString` | The name of the resource, for example, a channel name or a user ID. | #### EPubnubChatAccessManagerPermission | Enum Value | Description | | --- | --- | | `PCAMP_Read` | Read permission for a resource. | | `PCAMP_Write` | Write permission for a resource. | | `PCAMP_Manage` | Manage permission for a resource. | | `PCAMP_Delete` | Delete permission for a resource. | | `PCAMP_Get` | Permission to get details of a resource. | | `PCAMP_Join` | Permission to join a channel. | | `PCAMP_Update` | Permission to update a resource's details. | #### EPubnubChatAccessManagerResourceType | Enum Value | Description | | --- | --- | | `PCAMRT_Users` | Resource type for Users. | | `PCAMRT_Channels` | Resource type for Channels. | #### Output | Type | Description | | --- | --- | | `bool` | Whether or not the client has permissions to perform the requested operation on the requested resource. | ### Sample code :::tip Reference code This example is a self-contained code snippet ready to be run. Set up your Unreal project and follow the instructions in the lines marked with `ACTION REQUIRED` before running the code. Use it as a reference when working with other examples in this document. ::: Check if the current user can send messages to the `customer_XYZ` channel. ###### Actor.h ```cpp UFUNCTION(BlueprintCallable, Category = "PubnubChat|Samples|Chat|Access Manager") void AccessManagerCanISample(); ``` ###### Actor.cpp ```cpp // ACTION REQUIRED: Replace ASample_Chat with name of your Actor class void ASample_Chat::AccessManagerCanISample() { // snippet.hide UPubnubChat* Chat = nullptr; // snippet.show // Assumes Chat is a valid and initialized instance of UPubnubChat UPubnubChatAccessManager* AccessManager = Chat->GetAccessManager(); FString ChannelName = "customer_XYZ"; EPubnubChatAccessManagerResourceType ResourceType = EPubnubChatAccessManagerResourceType::PCAMRT_Channels; EPubnubChatAccessManagerPermission Permission = EPubnubChatAccessManagerPermission::PCAMP_Write; bool bCanSendMessage = AccessManager->CanI(Permission, ResourceType, ChannelName); } ``` ## Token management The `UPubnubChatAccessManager` class provides methods for managing authentication tokens. ### Set token Use `SetAuthToken()` to update the client's authentication token. The token contains embedded permissions that define access to PubNub resources. #### Method signature ```cpp void UPubnubChatAccessManager::SetAuthToken(FString Token) ``` #### Input | Parameter | Description | | --- | --- | | `Token` *Type: `FString` | The authentication token with embedded permissions. | #### Sample code ###### Actor.h ```cpp UFUNCTION(BlueprintCallable, Category = "PubnubChat|Samples|Chat|Access Manager") void AccessManagerSetAuthTokenSample(); ``` ###### Actor.cpp ```cpp // ACTION REQUIRED: Replace ASample_Chat with name of your Actor class void ASample_Chat::AccessManagerSetAuthTokenSample() { // snippet.hide UPubnubChat* Chat = nullptr; // snippet.show // Assumes Chat is a valid and initialized instance of UPubnubChat UPubnubChatAccessManager* AccessManager = Chat->GetAccessManager(); FString AuthToken = "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI"; AccessManager->SetAuthToken(AuthToken); } ``` This method does not return any response value. If the operation fails, ensure the token is valid and properly formatted. ### Parse token Use `ParseToken()` to decode an existing token and inspect its permissions and metadata (TTL, authorized user ID). #### Method signature ```cpp FString UPubnubChatAccessManager::ParseToken(FString Token) ``` #### Input | Parameter | Description | | --- | --- | | `Token` *Type: `FString` | The authentication token to decode. | #### Output | Type | Description | | --- | --- | | `FString` | A string containing the token's permissions and metadata. | #### Sample code ###### Actor.h ```cpp UFUNCTION(BlueprintCallable, Category = "PubnubChat|Samples|Chat|Access Manager") void AccessManagerParseTokenSample(); ``` ###### Actor.cpp ```cpp // ACTION REQUIRED: Replace ASample_Chat with name of your Actor class void ASample_Chat::AccessManagerParseTokenSample() { // snippet.hide UPubnubChat* Chat = nullptr; // snippet.show // Assumes Chat is a valid and initialized instance of UPubnubChat UPubnubChatAccessManager* AccessManager = Chat->GetAccessManager(); FString Token = "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenVzcqBDc3BjoERtZXRhoENzaWdYIGOAeTyWGJI"; FString TokenDetails = AccessManager->ParseToken(Token); UE_LOG(LogTemp, Log, TEXT("Token Details: %s"), *TokenDetails); } ``` #### Example output The server returns the permissions in a CBOR format. You can Base 64 decode it, and parse with any a CBOR parser. ```json { "v":2, "t":1619718521, "ttl":15, "res":{ "usr":{}, "spc":{}, "chan":{{"ch1":19}}, "grp":{} }, "pat":{ "usr":{}, "spc":{}, "chan":{}, "grp":{} }, "meta":{}, "sig":"signature" } ``` ## Operations-to-permissions mapping The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, `write` access given to a user for the `channels` resource type (either specific channels or channel `patterns`) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Unreal Chat SDK's `SendText()` method). :::tip Chat SDK method to required Access Manager permission mapping For information about which Chat SDK methods require what Access Manager permissions, refer to [Security and permissions](https://www.pubnub.com/docs/chat/security#operations-to-permissions-mapping). :::