--- source_url: https://www.pubnub.com/docs/general/basics/manage-access title: Manage access updated_at: 2026-06-03T11:40:40.982Z --- > Documentation Index > For a curated overview of PubNub documentation, see: https://www.pubnub.com/docs/llms.txt > For the full list of all documentation pages, see: https://www.pubnub.com/docs/llms-full.txt # Manage access PubNub's Access Manager controls access to resources. These include channels and user metadata in real‑time apps. For example, you can set up a one‑to‑one chat room or allow only two authenticated clients (individual users or application instances) to send and receive messages in a specific channel. Define roles and permissions first. For example, a chat app may have moderators who delete messages and regular users who send messages. Access Manager [controls access to resources](https://www.pubnub.com/docs/general/security/access-control). It works by: * Using [time‑limited](https://www.pubnub.com/docs/general/security/access-control#ttl) tokens (TTL) * Granting tokens that list the [permitted operations](https://www.pubnub.com/docs/general/security/access-control#operations-to-permissions-mapping) * Adding the token to the client SDK after grant * Sending the token with each call until it [expires](https://www.pubnub.com/docs/general/security/access-control#ttl) or you [revoke it](https://www.pubnub.com/docs/general/security/access-control#revoke-permissions) You can bind a token to [one User ID](https://www.pubnub.com/docs/general/security/access-control#authorized-uuid). Only that User ID is authorized. Your server requests tokens using an SDK. Not every SDK instance can request tokens. To use Access Manager, first enable it in the [Admin Portal](https://admin.pubnub.com/). Then [set up one of PubNub's SDKs](https://www.pubnub.com/docs/general/security/access-control#server-side-operations) with a `secretKey`. That server SDK sits between client SDKs and PubNub. Access Manager integrates with [Functions](https://www.pubnub.com/docs/serverless/functions/overview). Use it for server‑side validation and custom logic. To implement Access Manager, set up a server SDK with a `secretKey`. The examples below show how. :::note User ID / UUID User ID is also referred to as **UUID/uuid** in some APIs and server responses but **holds the value** of the **userId** parameter you [set during initialization](https://www.pubnub.com/docs/general/setup/users-and-devices#set-the-user-id). ::: ###### Node.js ```javascript const pubnub = new PubNub({ subscribeKey: 'mySubscribeKey', publishKey: 'myPublishKey', uuid: 'myUniqueUUID', secretKey: 'mySecretKey' }); ``` ###### Java ```java PNConfiguration.Builder configBuilder = PNConfiguration.builder(new UserId("yourUserId"), "yourSubscribeKey"); configBuilder.publishKey("myPublishKey"); configBuilder.secretKey("mySecretKey"); PubNub pubNub = PubNub.create(configBuilder.build()); ``` ###### C# ```csharp PNConfiguration pnconfig = new PNConfiguration(); pnconfig.SubscribeKey = "mySubscribeKey"; pnconfig.PublishKey = "myPublishKey"; pnconfig.SecretKey = "mySecretKey"; pnconfig.Uuid = "myUniqueUuid"; Pubnub pubnub = new Pubnub(pnconfig); ``` ###### Python ```python from pubnub.pnconfiguration import PNConfiguration from pubnub.pubnub import PubNub pn_config = PNConfiguration() pn_config.publish_key = "my_publish_key" pn_config.subscribe_key = "my_subscribe_key" pn_config.uuid = "my_unique_uuid" pn_config.secret_key = "my_secret_key" pubnub = PubNub(pn_config) ``` ###### Dart ```dart final myKeyset = Keyset( subscribeKey: 'subscribeKey', publishKey: 'publishKey', secretKey: 'secretKey', userId: UserId('yourUniqueUserId')); var pubnub = PubNub(defaultKeyset: myKeyset); ``` ###### Kotlin ```kotlin val pnConfiguration = PNConfiguration(UserId("myUserId")).apply { subscribeKey = "my_subkey" publishKey = "my_pubkey" secretKey = "my_secretkey" secure = true } val pubnub = PubNub.create(pnConfiguration) ``` To issue a grant request, the client SDK calls your server SDK. The server SDK is the intermediary between clients and PubNub. Once your server SDK is initialized, you can grant specific permissions to a User ID. The examples below grant the `thomas_anderson` User ID read access to `channel-a` and read/write access to `channel-b`, `channel-c`, and `uuid-d` for 15 minutes. ###### Node.js ```javascript pubnub.grantToken( { ttl: 15, authorized_uuid: "thomas_anderson", resources: { channels: { "channel-a": { read: true }, "channel-b": { read: true, write: true }, "channel-c": { read: true, write: true } }, uuids: { "uuid-d": { get: true, update: true } } } }, function (status, token) { console.log(token) }); ``` ###### Java ```java pubnub.grantToken() .ttl(15) .authorizedUUID("thomas_anderson") .channels(Arrays.asList( ChannelGrant.name("channel-a").read(), ChannelGrant.name("channel-b").read().write(), ChannelGrant.name("channel-c").read().write(), .uuids(Arrays.asList( UUIDGrant.id("uuid-d").get().update())) .async(result -> { /* check result */ }); ``` ###### C# ```csharp PNResult grantTokenResponse = await pubnub.GrantToken() .TTL(15) .AuthorizedUuid("thomas_anderson") .Resources(new PNTokenResources() { Channels = new Dictionary() { { "channel-a", new PNTokenAuthValues() { Read = true } }, { "channel-b", new PNTokenAuthValues() { Read = true, Write = true } }, { "channel-c", new PNTokenAuthValues() { Read = true, Write = true } }, Uuids = new Dictionary() { { "uuid-d", new PNTokenAuthValues() { Get = true, Update = true } }} }) .ExecuteAsync(); PNAccessManagerTokenResult grantTokenResult = grantTokenResponse.Result; PNStatus grantTokenStatus = grantTokenResponse.Status; if (!grantTokenStatus.Error && grantTokenResult != null) { Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenResult)); } else { Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(grantTokenStatus)); } ``` ###### Python ```python from pubnub.models.consumer.v3.channel import Channel from pubnub.models.consumer.v3.uuid import UUID channels = [ Channel.id("channel-a").read(), Channel.id("channel-b").read().write(), Channel.id("channel-c").read().write(), ] uuids = [ UUID.id("uuid-d").get().update() ] envelope = pubnub.grant_token() .channels(channels) .ttl(15) .groups(channel_groups) .uuids(uuids) .authorized_uuid("thomas_anderson") .sync() ``` ###### Dart ```dart var request = pubnub.requestToken( var request = pubnub.requestToken(ttl: 15, authorizedUUID: 'thomas_anderson') ..add(ResourceType.channel, name: 'channel-a', read: true) ..add(ResourceType.channel, name: 'channel-b', read: true, write: true) ..add(ResourceType.channel, name: 'channel-c', read: true, write: true) ..add(ResourceType.uuid, name: 'uuid-d', get: true, update: true); var token = await pubnub.grantToken(request); var token = await pubnub.grantToken(request); ``` ###### Kotlin ```kotlin pubnub.grantToken( ttl = 15, channels = listOf( ChannelGrant.name(name = "channel-a", read = true), ChannelGrant.name(name = "channel-b", read = true, write = true), ChannelGrant.name(name = "channel-c", read = true, write = true), ), uuids = listOf( UUIDGrant.id(id = "uuid-d", get = true, update = true) ), authorizedUUID = "thomas_anderson" ).async { result, status -> if (status.error) { // Handle error } else { // Handle result } } ``` When you [grant permissions](https://www.pubnub.com/docs/general/security/access-control#grant-permissions), you don’t need to list every resource. With one call, you can grant access to multiple channels, channel groups, and user metadata using [RegEx](https://www.pubnub.com/docs/general/security/access-control#regex). Some operations create network events. Examples include joining or leaving a channel and sending a message. Learn how to intercept these events and [trigger your business logic](https://www.pubnub.com/docs/general/basics/react-to-events).