Manage access
PubNub's Access Manager controls access to resources. These include channels and user metadata in real‑time apps. For example, you can set up a one‑to‑one chat room or allow only two authenticated clients (individual users or application instances) to send and receive messages in a specific channel.
Define roles and permissions first. For example, a chat app may have moderators who delete messages and regular users who send messages.
Access Manager controls access to resources. It works by:
- Using time‑limited tokens (TTL)
- Granting tokens that list the permitted operations
- Adding the token to the client SDK after grant
- Sending the token with each call until it expires or you revoke it
You can bind a token to one User ID. Only that User ID is authorized.
Your server requests tokens using an SDK. Not every SDK instance can request tokens. To use Access Manager, first enable it in the Admin Portal. Then set up one of PubNub's SDKs with a secretKey. That server SDK sits between client SDKs and PubNub.
Access Manager integrates with Functions. Use it for server‑side validation and custom logic.
To implement Access Manager, set up a server SDK with a secretKey. The examples below show how.
User ID / UUID
User ID is also referred to as UUID/uuid in some APIs and server responses but holds the value of the userId parameter you set during initialization.
- Node.js
- Java
- C#
- Python
- Dart
- Kotlin
const pubnub = new PubNub({
subscribeKey: 'mySubscribeKey',
publishKey: 'myPublishKey',
uuid: 'myUniqueUUID',
secretKey: 'mySecretKey'
});
PNConfiguration.Builder configBuilder = PNConfiguration.builder(new UserId("yourUserId"), "yourSubscribeKey");
configBuilder.publishKey("myPublishKey");
configBuilder.secretKey("mySecretKey");
PubNub pubNub = PubNub.create(configBuilder.build());
PNConfiguration pnconfig = new PNConfiguration();
pnconfig.SubscribeKey = "mySubscribeKey";
pnconfig.PublishKey = "myPublishKey";
pnconfig.SecretKey = "mySecretKey";
pnconfig.Uuid = "myUniqueUuid";
Pubnub pubnub = new Pubnub(pnconfig);
from pubnub.pnconfiguration import PNConfiguration
from pubnub.pubnub import PubNub
pn_config = PNConfiguration()
pn_config.publish_key = "my_publish_key"
pn_config.subscribe_key = "my_subscribe_key"
pn_config.uuid = "my_unique_uuid"
pn_config.secret_key = "my_secret_key"
pubnub = PubNub(pn_config)
final myKeyset = Keyset(
subscribeKey: 'subscribeKey',
publishKey: 'publishKey',
secretKey: 'secretKey',
userId: UserId('yourUniqueUserId'));
var pubnub = PubNub(defaultKeyset: myKeyset);
val pnConfiguration = PNConfiguration(UserId("myUserId")).apply {
subscribeKey = "my_subkey"
publishKey = "my_pubkey"
secretKey = "my_secretkey"
secure = true
}
val pubnub = PubNub.create(pnConfiguration)
To issue a grant request, the client SDK calls your server SDK. The server SDK is the intermediary between clients and PubNub.
Once your server SDK is initialized, you can grant specific permissions to a User ID. The examples below grant the thomas_anderson User ID read access to channel-a and read/write access to channel-b, channel-c, and uuid-d for 15 minutes.
- Node.js
- Java
- C#
- Python
- Dart
- Kotlin
pubnub.grantToken(
{
ttl: 15,
authorized_uuid: "thomas_anderson",
resources: {
channels: {
"channel-a": {
read: true
},
"channel-b": {
read: true,
write: true
},
"channel-c": {
read: true,
pubnub.grantToken()
.ttl(15)
.authorizedUUID("thomas_anderson")
.channels(Arrays.asList(
ChannelGrant.name("channel-a").read(),
ChannelGrant.name("channel-b").read().write(),
ChannelGrant.name("channel-c").read().write(),
.uuids(Arrays.asList(
UUIDGrant.id("uuid-d").get().update()))
.async(result -> { /* check result */ });
PNResult<PNAccessManagerTokenResult> grantTokenResponse = await pubnub.GrantToken()
.TTL(15)
.AuthorizedUuid("thomas_anderson")
.Resources(new PNTokenResources()
{
Channels = new Dictionary<string, PNTokenAuthValues>() {
{ "channel-a", new PNTokenAuthValues() { Read = true } },
{ "channel-b", new PNTokenAuthValues() { Read = true, Write = true } },
{ "channel-c", new PNTokenAuthValues() { Read = true, Write = true } },
Uuids = new Dictionary<string, PNTokenAuthValues>() {
{ "uuid-d", new PNTokenAuthValues() { Get = true, Update = true } }}
})
.ExecuteAsync();
PNAccessManagerTokenResult grantTokenResult = grantTokenResponse.Result;
PNStatus grantTokenStatus = grantTokenResponse.Status;
from pubnub.models.consumer.v3.channel import Channel
from pubnub.models.consumer.v3.uuid import UUID
channels = [
Channel.id("channel-a").read(),
Channel.id("channel-b").read().write(),
Channel.id("channel-c").read().write(),
]
uuids = [
UUID.id("uuid-d").get().update()
]
envelope = pubnub.grant_token()
.channels(channels)
.ttl(15)
.groups(channel_groups)
var request = pubnub.requestToken(
var request = pubnub.requestToken(ttl: 15, authorizedUUID: 'thomas_anderson')
..add(ResourceType.channel, name: 'channel-a', read: true)
..add(ResourceType.channel, name: 'channel-b', read: true, write: true)
..add(ResourceType.channel, name: 'channel-c', read: true, write: true)
..add(ResourceType.uuid, name: 'uuid-d', get: true, update: true);
var token = await pubnub.grantToken(request);
var token = await pubnub.grantToken(request);
pubnub.grantToken(
ttl = 15,
channels = listOf(
ChannelGrant.name(name = "channel-a", read = true),
ChannelGrant.name(name = "channel-b", read = true, write = true),
ChannelGrant.name(name = "channel-c", read = true, write = true),
),
uuids = listOf(
UUIDGrant.id(id = "uuid-d", get = true, update = true)
),
authorizedUUID = "thomas_anderson"
).async { result, status ->
if (status.error) {
// Handle error
} else {
When you grant permissions, you don’t need to list every resource. With one call, you can grant access to multiple channels, channel groups, and user metadata using RegEx.
Some operations create network events. Examples include joining or leaving a channel and sending a message. Learn how to intercept these events and trigger your business logic.