Security and permissions

Authentication and authorization mechanisms in your chat app let you decide who can access what resources based on identity and permissions. Additional security measures let you send and receive messages and files through your chat app, preventing unauthorized users from accessing that data.

Add or remove access to resources

PubNub Chat SDKs provide authorization in your chat app through Access Manager - a secure, token-based permission administrator that lets you regulate clients' access to such PubNub resources as channels and users.

By making a single call to Access Manager API, you can define multiple user permissions saying who can do what with your client or server app data. Those permissions are stored within a token that you can then pass to the client device. The client device uses this token to authenticate with PubNub and access the resources you've defined.

Depending on whether you create a client or server app, there are three possible actors involved in the authorization cycle: PubNub (server), your own server, and a client device. For more details, read the authorization workflow.

Set the token

As long as the tokens with correct permissions are granted and set in the client that uses the Chat SDK, it doesn't matter which SDK grants them.

Access Manager availability

Access Manager is available in most core SDKs and some chat SDKs.

When you have the token with the correct permissions, you can set it in the Chat SDK. Refer to each Chat SDK's configuration documentation to learn how to set the token.

Operations-to-permissions mapping

The type of access level you grant on a given resource type defines which operations users can perform in your app. For example, write access given to a user for the channels resource type (either specific channels or channel patterns) lets them send messages to this channel/these channels (calling the PubNub Pub/Sub API underneath and the Chat SDK's SendText() method).

Variables

Certain Chat SDK methods require permissions on specific channels. Each instance of channelId, userId, messageTimetoken, parentChannelId, threadChannelId, and threadMessageChannelId in the table is a placeholder and it is up to you to provide the correct value.

In some cases, certain channels are created that have a specific naming convention, like PUBNUB_INTERNAL_MODERATION_channelId, PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken, or channelId-pnpres. Inspect the tables carefully and manage your permissions accordingly.

The following tables show which specific permissions granted to PubNub resources translate to operations users can later perform using our Chat SDKs.

Method scope and naming

The method names may vary across Chat SDKs due to syntax differences between programming languages. Also, methods that don't require communicating with the PubNub servers don't require permissions and are not present in the table.

Chat object methods

Chat SDK method(s)Resource: Permission
Init()
UUID: Get, Update
CreatePublicConversation()
Channel (channelId): Update
CreateDirectConversation()
Channel (channelId): Get, Update, Join, Write
Channel (invitee): Write
UUID (userThatCallsTheMethod, invitee): Update, Get
CreateGroupConversation()
Channel (channelId): Update, Manage, Join
Channel (invitee[]): Write
UUID (userThatCallsTheMethod, invitee[]): Update, Get
GetChannel()
Channel: Get

GetChannels()
No permissions required.

Ensure that the Disallow Get All Channel Metadata checkbox in your keyset configuration in the Admin Portal is unmarked.
UpdateChannel()
Channel (channelId): Update
DeleteChannel()
Channel (channelId): Delete
PinMessageToChannel()
Channel (channelId): Update
UnpinMessageFromChannel()
Channel (channelId): Update
GetChannelSuggestions()
No permissions required.

Ensure that the Disallow Get All Channel Metadata checkbox in your keyset configuration in the Admin Portal is unmarked.
CurrentUser()
UUID: Get
CreateUser()
UUID (userId): Get, Update
GetUser()
UUID (userId): Get
GetUsers()
No permissions required.

Ensure that the Disallow Get All User Metadata checkbox in your keyset configuration in the Admin Portal is unmarked.
UpdateUser()
UUID (userId): Update
DeleteUser()
UUID (userId): Delete
GetUserSuggestions()
No permissions required.

Ensure that the Disallow Get All User Metadata checkbox in your keyset configuration in the Admin Portal is unmarked.
WherePresent()
No permissions required.
WhoIsPresent()
Channel (channelId): Read
IsPresent()
No permissions required.
SetRestrictions()
Channel (PUBNUB_INTERNAL_MODERATION_channelId): Manage, Update
Channel (PUBNUB_INTERNAL_MODERATION.userId): Write
EmitChatEvent()
Channel (channelId): Write
GetEventsHistory()
Channel (channelId): Read
ListenForEvents()
Channel (channelId, channelId-pnpres): Read
ForwardMessage()
Channel (channelId): Write
GetUnreadMessagesCounts()
UUID (currentUser): Get
Channel: Read - for all channels where the user has memberships
MarkAllMessagesAsRead()
UUID (currentUser): Get, Update
Channel: Write, Join - for all channels where the user has memberships
GetCurrentUserMentions()
Channel (channelId of the mention event, userId): Read
CreateThreadChannel()
Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get
GetThreadChannel()
Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get
RemoveThreadChannel()
Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get, Delete
Channel (parentChannelId): Delete

Channel object methods

Chat SDK method(s)Resource: Permission
Update()
Channel (channelId): Update
Connect()
Channel (channelId, channelId-pnpres): Read
Join()
Channel (channelId): Read, Join, Write
Channel (channelId-pnpres): Read
UUID (currentUser): Get, Update
Disconnect()
Channel (channelId, channelId-pnpres): Read
Leave()
UUID (currentUser): Update
Channel (channelId): Join, Read
Channel (channelId-pnpres): Read
DeleteChannel()
Channel (channelId): Delete
SendText()
Channel (channelId): Write
Channel (userId): Write - for every mentioned user
WhoIsPresent()
Channel (channelId): Read
IsPresent()
No permissions required.
SetRestrictions()
Channel (PUBNUB_INTERNAL_MODERATION_channelId): Manage, Update
Channel (PUBNUB_INTERNAL_MODERATION.userId): Write
GetUserRestrictions()
UUID (userId): Get
GetUsersRestrictions()
Channel (PUBNUB_INTERNAL_MODERATION_channelId): Get
GetHistory()
Channel (channelId): Read
GetMessage()
Channel (channelId): Read
GetMembers()
Channel (channelId): Get
Invite(user)
UUID (userId): Update
Channel (channelId): Get, Write, Join
Channel (userId): Write
InviteMultiple(user[])
Channel (user[]): Write
Channel (channelId): Manage, Write, Join
UUID (user[]): Get, Update
StartTyping()
Channel (channelId): Write
StopTyping()
Channel (channelId): Write
GetTyping()
Channel (channelId, channelId-pnpres): Read
PinMessage()
Channel (channelId): Update
UnpinMessage()
Channel (channelId): Update
GetPinnedMessage()
Channel (channelId): Read
ForwardMessage()
Channel (channelId): Write
EmitUserMention()
Channel (userId): Write
GetUserSuggestions()
Channel: Get
StreamUpdates()
Channel (channelId, channelId-pnpres): Read
StreamUpdatesOn(channel[])
Channel (channelId[], channelId-pnpres[]): Read
StreamPresence()
Channel (channelId, channelId-pnpres): Read
StreamReadReceipts()
Channel (channelId): Get, Read
Channel (channelId-pnpres): Read
GetMessageReportsHistory()
Channel (PUBNUB_INTERNAL_MODERATION_channelId): Read
StreamMessageReports()
Channel (PUBNUB_INTERNAL_MODERATION_channelId, PUBNUB_INTERNAL_MODERATION_channelId-pnpres): Read

User object methods

Chat SDK method(s)Resource: Permission
Update()
UUID (userId): Update
DeleteUser()
UUID (userId): Delete
WherePresent()
No permissions required.
IsPresentOn(channelId)
No permissions required.
SetRestrictions()
Channel (PUBNUB_INTERNAL_MODERATION_channelId): Manage, Update
Channel (PUBNUB_INTERNAL_MODERATION.userId): Write
GetChannelRestrictions(channelId)
Channel (PUBNUB_INTERNAL_MODERATION_channelId): Get
GetChannelsRestrictions()
UUID (userId): Get
GetMemberships()
UUID (userId): Get
StreamUpdates()
UUID (userId, userId-pnpres): Read
StreamUpdatesOn(user[])
UUID (userId[], userId-pnpres[]): Read

Membership object methods

Chat SDK method(s)Resource: Permission
Update()
UUID (userId): Update
Channel: Join
SetLastReadMessageTimetoken()
UUID (userId): Update
Channel: Write, Join
SetLastReadMessage()
UUID (userId): Update
Channel: Write, Join
GetUnreadMessagesCount()
Channel (channelId): Read
StreamUpdates()
Channel (channelId, channelId-pnpres): Read
StreamUpdatesOn(membership[])
Channel (channelId, channelId-pnpres): Read

Message object methods

Chat SDK method(s)Resource: Permission
EditText()
Channel (channelIdOfTheChannelTheMessageWasSent): Write
DeleteMessage()
Channel (channelIdOfTheChannelTheMessageWasSent): Write
DeleteMessageHard()
Channel (channelId): Delete
Channel (threadChannelId): Get, Delete - if the message has a thread attached
Restore()
Channel (channelIdOfTheChannelTheMessageWasSent): Delete
Pin()
Channel (channelId): Get, Update
Unpin()
Channel (channelId): Get, Update, Read
ToggleReaction()
Channel (channelId): Write, Delete
Forward(channel)
Channel (channelId): Write
Report()
Channel (PUBNUB_INTERNAL_MODERATION_channelIdFrom Message): Write
StreamUpdates()
Channel (channelId, channelId-pnpres): Read
StreamUpdatesOn(message[])
Channel (channelId, channelId-pnpres): Read
CreateThread()
Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get
GetThread()
Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get
RemoveThread()
Channel (PUBNUB_INTERNAL_THREAD_channelIdOfTheChannelTheMessageWasSent_MessageTimetoken): Get, Delete
Channel (parentChannelId): Delete
QuotedMessage()
Channel (channelId): Get, Read

ThreadChannel object methods

Chat SDK method(s)Resource: Permission
SendText()
Channel (parentChannelId): Write
Channel (threadChannelId): Write, Update
Channel (mentionedUserIds): Write
GetThreadHistory()
Channel (threadChannelId): Read
PinMessageToThread()
Channel (threadChannelId): Update
UnpinMessageFromThread()
Channel (threadChannelId): Update
PinMessageToParentChannel()
Channel (parentChannelId): Get, Update
UnpinMessageFromParentChannel()
Channel (parentChannelId): Get, Update
EmitUserMention()
Channel (userId): Write

ThreadMessage object methods

Chat SDK method(s)Resource: Permission
PinToParentChannel()
Channel (parentChannelId): Get, Update
UnpinFromParentChannel()
Channel (parentChannelId): Get, Update
StreamUpdates()
Channel (threadMessageChannelId, threadMessageChannelId-pnpres): Read
StreamUpdatesOn(threadMessage[])
Channel (threadMessageChannelId, threadMessageChannelId-pnpres): Read

MessageDraft object methods

Chat SDK method(s)Resource: Permission
Send()
Channel (channelId): Write
Channel (userId): Write - for every mentioned user
Last updated on