Manage access

Often times it's necessary to limit users' access to resources, like channels or user metadata, within your application. For instance, you can set up a one-to-one chat room by only allowing two users to send and receive messages in a specific channel.

PubNub's access manager controls client access to resources using time-limited permission tokens. These tokens are granted by PubNub and contain an embedded list of permitted operations for the SDK which has that token. Once PubNub grants a token, it's added to the client SDK's configuration and is sent with every SDK call until it expires or is revoked.

Additionally, you may define a single User ID that can use the token. This way, no other User ID can use that token. If the authorized User ID is different than the one which sends the request, PubNub will deny the request.

Even though it's PubNub that grants the token, you request that a token be granted using an SDK. However, not every SDK instance may request tokens from PubNub. To use the access manager, you must first enable it on the Admin Portal and initialize one of PubNub's SDK using a secretKey. Then, that SDK acts as an intermediary between the clients that request access (SDKs) and PubNub.

User ID / UUID

User ID is also referred to as UUID/uuid in some APIs and server responses but holds the value of the userId parameter you set during initialization.

const pubnub = new PubNub({
subscribeKey: 'mySubscribeKey',
publishKey: 'myPublishKey',
uuid: 'myUniqueUUID',
secretKey: 'mySecretKey'

To issue a grant request, you must make a call from the client SDK, which is the client that wants to have access, to the server SDK, which is the intermediary between clients and PubNub.

The code below grants the thomas_anderson UUID read access to channel-a and read/write access to channel-b, channel-c, and uuid-d for 15 minutes.

ttl: 15,
authorized_uuid: "thomas_anderson",
resources: {
channels: {
"channel-a": {
read: true
"channel-b": {
read: true,
write: true
"channel-c": {
read: true,
show all 29 lines

When you grant permissions, you don't have to manually input every resource you want to grant or change access to. With a single call, you may grant access to multiple channels, channel groups, and UUID metadata using RegEx.

Certain operations, like joining/leaving a channel, or sending a message, among others, generate events sent throughout the PubNub network. Read on to learn how to intercept these events and trigger your own business logic without writing a single line of code.

Last updated on
On this page