Access Manager
Migrate from v2 to v3
This is a newly released version of Access Manager. If you already use Access Manager in v2, you need to update your configuration before you start using the new version. Read the Migration Guide for all the necessary migration steps.
When you develop an in-app messaging application, you might want to set rules that would only allow a selected user to access specific channels and user metadata. This is where Access Manager comes in. With it, you can set up a detailed permission schema for your application and decide who can do what with your data. This way you secure your application and protect it against any unauthorized third-party access attempts.
Access Manager (v3) is a cryptographic, token-based permission administrator that allows you to regulate clients' access to PubNub resources, such as channels, channel groups, and User IDs. For instance, you can make a one-to-one chat room private by only allowing two users to be able to read and write messages in this channel. Alternatively, you can make a channel public by giving all users access to it. With Access Manager, you can define multiple permissions in a single API call by listing resource groups explicitly or creating patterns with regular expressions (RegEx).
User ID / UUID
User ID is also referred to as UUID/uuid in some APIs and server responses but holds the value of the userId parameter you set during initialization.
Applications built with Access Manager create tokens with individual permissions for each authorized user of the application. These tokens are generated by PubNub. A client device would need to acquire an appropriate token for its user and pass the token with any request made to the PubNub API.
Configuration
To use Access Manager, you must enable and configure it on a chosen app's keyset in the Admin Portal.
| Option | Description |
|---|---|
| Revoke v3 Token | This feature lets you invalidate a previously issued token so that it can no longer be used to authenticate requests for access to PubNub resources. |
Authorization flow
There are three actors involved in the authorization process:
-
Server - Client applications that use Access Manager require a centralized server application that keeps track of all interactions between the users and the PubNub resources they have access to. The server is solely authorized to request permission grants from PubNub. It should also expose an API through which clients can request new or updated tokens. In-app messaging applications usually have a centralized server in place to support such operations as validation of users logging in to clients. The same server can be used to implement and manage the Access Manager logic in your application.
-
Client device - A client that represents a single device where a user logs in to perform an operation supported by PubNub. For Access Manager-enabled applications, a client needs to request a token from the centralized server before making PubNub API calls and attempting to access resources such as channels, channel groups, and User ID metadata. Clients also need logic to periodically refresh their user’s token before it expires.
-
PubNub - The PubNub platform provides APIs to support both centralized server applications and client devices associated with a particular user. Server applications call the grant API to generate or refresh tokens. Client applications pass these tokens in requests to PubNub APIs (such as publish or subscribe) for PubNub to validate that the user associated with the client has the appropriate permissions.
A typical client authorization could look as follows:
-
Upon login, the client device requests authorization to be able to send requests to PubNub.
-
The server issues a token request to PubNub by defining the permissions it needs to give to a specific authorized User ID.
-
PubNub reads these permissions and returns a signed, self-contained, and time-limited access token to the server.
-
The server passes the token to the client device as part of the login response.
-
The client device adds the token to the client's SDK configuration.
-
When the client device later makes PubNub API calls, the SDK passes the configured token. It can continue to do so until the token expires or is revoked, at which point it needs to request a new token to be issued.
Server-side operations
A centralized server is an implementation that initializes with a server-side PubNub SDK authenticated by a secretKey. Permissions grants can only be requested by a server.
Initialize with a secret key
The secretKey lets you use Access Manager to provide clients with access to PubNub resources, change access levels, and remove permissions. When you initialize PubNub with the secretKey, you get root permissions for Access Manager. With this feature, you don't have to grant access to your servers to access channel data as the servers get read and write access to all resources.
Secret key security
The secretKey should only be used within a secure server and never exposed to client devices. If the secretKey is ever compromised, it can be an extreme security risk to your application. If you suspect your secretKey has been compromised, you have the ability to regenerate a new secretKey for the existing PubNub keyset on the Admin Portal.
- Node.js
- Python
- Java
- Kotlin
- Go
- C#
- Dart
- PHP
- Ruby
const pubnub = new PubNub({
subscribeKey: "mySubscribeKey",
publishKey: "myPublishKey",
secretKey: "mySecretKey",
userId: "myUniqueUserId"
});
pn_config = PNConfiguration()
pn_config.subscribe_key = "my_subscribe_key"
pn_config.publish_key = "my_publish_key"
pn_config.secret_key = "my_secret_key"
pn_config.user_id = "my_unique_user_id"
pubnub = PubNub(pn_config)
PNConfiguration.Builder configBuilder = PNConfiguration.builder(new UserId("yourUserId"), "yourSubscribeKey");
// publishKey from Admin Portal (only required if publishing)
configBuilder.publishKey("PublishKey");
configBuilder.secretKey("mySecretKey");
PubNub pubNub = PubNub.create(configBuilder.build());
val pnConfiguration = PNConfiguration(UserId("myUserId")).apply {
subscribeKey = "my_subkey"
publishKey = "my_pubkey"
secretKey = "my_secretkey"
secure = true
}
pnconfig := pubnub.NewConfig()
pnconfig.SubscribeKey = "MySubscribeKey"
pnconfig.PublishKey = "MyPublishKey"
pnconfig.SecretKey = "MySecretKey"
pnconfig.SetUserId(UserId("myUniqueUserId"))
pn := pubnub.NewPubNub(pnconfig)
PNConfiguration pnconfig = new PNConfiguration();
pnconfig.SubscribeKey = "mySubscribeKey";
pnconfig.PublishKey = "myPublishKey";
pnconfig.SecretKey = "mySecretKey";
pnconfig.UserId = "MyUniqueUserId";
Pubnub pubnub = new Pubnub(pnconfig);
final myKeyset = Keyset(
subscribeKey: 'mySubscribeKey',
publishKey: 'myPublishKey',
secretKey: 'mySecretKey',
userId: UserId('yourUniqueUserId')
);
use PubNub\PNConfiguration;
$pnConfiguration = new PNConfiguration();
$pnConfiguration->setSubscribeKey("MySubscribeKey");
$pnConfiguration->setPublishKey("MyPublishKey");
$pnConfiguration->setSecretKey("MySecretKey");
$pnConfiguration->setUserId("MyUniqueUserId");
pubnub = Pubnub.new(
subscribe_key: 'my_subscribe_key',
publish_key: 'my_publish_key',
secret_key: 'my_secret_key',
user_id: 'myUniqueUserId'
);
Grant permissions
Once you've enabled Access Manager on the Admin Portal and initialized the PubNub object with a secretKey, you can assign permissions to client devices. To do this, make a call to the PubNub server in which you request it to grant a new token. Specify the authorized User ID which will use the token exclusively, its permissions to resources (provided in a sequence and/or as regular expressions), and a ttl (time to live) for the grant.
An authorized User ID can have permissions for:
- Channels
- Channel groups
- User IDs (which are other users' object metadata, such as their names or avatars)
Once the grant is successful, the server responds to the client device's authentication request by returning a token with embedded permissions.
The code below grants the my-authorized-uuid:
- Read access to
channel-a,channel-group-b, anduuid-c. - Read/write access to
channel-b,channel-c,channel-d, anduuid-d. - Read access to all channels that match the
channel-[A-Za-z0-9]RegEx pattern.
- Node.js
- Python
- Java
- Kotlin
- Go
- C
- C#
- Dart
- PHP
- Ruby
pubnub.grantToken(
{
ttl: 15,
authorized_uuid: "my-authorized-uuid",
resources: {
channels: {
"channel-a": {
read: true
},
"channel-b": {
read: true,
write: true
},
"channel-c": {
read: true,
channels = [
Channel.id("channel-a").read(),
Channel.pattern("channel-[A-Za-z0-9]").read(),
Channel.id("channel-b").read().write(),
Channel.id("channel-c").read().write(),
Channel.id("channel-d").read().write()
]
channel_groups = [
Group.id("channel-group-b").read()
]
uuids = [
UUID.id("uuid-c").get(),
UUID.id("uuid-d").get().update()
]
envelope = pubnub.grant_token()
pubnub.grantToken()
.ttl(15)
.authorizedUUID("my-authorized-uuid")
.channels(Arrays.asList(
ChannelGrant.name("channel-a").read(),
ChannelGrant.name("channel-b").read().write(),
ChannelGrant.name("channel-c").read().write(),
ChannelGrant.name("channel-d").read().write(),
ChannelGrant.pattern("^channel-[A-Za-z0-9]*$").read()))
.channelGroups(Collections.singletonList(
ChannelGroupGrant.id("channel-group-b").read()))
.uuids(Arrays.asList(
UUIDGrant.id("uuid-c").get(),
UUIDGrant.id("uuid-d").get().update()))
.async(result -> { /* check result */ });
pubnub.grantToken(
ttl = 15,
authorizedUUID = "my-authorized-uuid",
channels = listOf(
ChannelGrant.name(name = "channel-a", read = true),
ChannelGrant.name(name = "channel-b", read = true, write = true),
ChannelGrant.name(name = "channel-c", read = true, write = true),
ChannelGrant.name(name = "channel-d", read = true, write = true),
ChannelGrant.pattern(pattern = "^channel-[A-Za-z0-9]*$", read = true)
),
channelGroups = listOf(
ChannelGroupGrant.id(id = "channel-group-b", read = true)
),
uuids = listOf(
UUIDGrant.id(id = "uuid-c", get = true),
res, status, err := pn.GrantToken().
TTL(15).
AuthorizedUUID("my-authorized-uuid").
Channels(map[string]pubnub.ChannelPermissions{
"channel-a": {
Read: true,
},
"channel-b": {
Read: true,
Write: true,
},
"channel-c": {
Read: true,
Write: true,
},
char* author_uuid = "my-authorized-uuid";
struct pam_permission cha_perm = {.read=true };
struct pam_permission cgb_perm = {.read=true };
struct pam_permission uidc_perm = {.get=true };
struct pam_permission chb_perm = {.read=true, .write=true };
struct pam_permission chc_perm = {.read=true, .write=true };
struct pam_permission chd_perm = {.read=true, .write=true };
struct pam_permission uidd_perm = {.get=true, .update=true };
struct pam_permission pat_ch_perm = {.read=true };
int perm_cha = pubnub_get_grant_bit_mask_value(cha_perm);
int perm_chb = pubnub_get_grant_bit_mask_value(chb_perm);
int perm_chc = pubnub_get_grant_bit_mask_value(chc_perm);
PNResult<PNAccessManagerTokenResult> grantTokenResponse = await pubnub.GrantToken()
.TTL(15)
.AuthorizedUuid("my-authorized-uuid")
.Resources(new PNTokenResources()
{
Channels = new Dictionary<string, PNTokenAuthValues>() {
{ "channel-a", new PNTokenAuthValues() { Read = true } },
{ "channel-b", new PNTokenAuthValues() { Read = true, Write = true } },
{ "channel-c", new PNTokenAuthValues() { Read = true, Write = true } },
{ "channel-d", new PNTokenAuthValues() { Read = true, Write = true } }},
ChannelGroups = new Dictionary<string, PNTokenAuthValues>() {
{ "channel-group-b", new PNTokenAuthValues() { Read = true } } },
Uuids = new Dictionary<string, PNTokenAuthValues>() {
{ "uuid-c", new PNTokenAuthValues() { Get = true } },
{ "uuid-d", new PNTokenAuthValues() { Get = true, Update = true } }}
var request = pubnub.requestToken(
ttl: 15, authorizedUUID: 'my-authorized-uuid')
..add(ResourceType.channel, name: 'channel-a', read: true)
..add(ResourceType.channelGroup, name: 'channel-group-b', read: true)
..add(ResourceType.uuid, name: 'uuid-c', get: true)
..add(ResourceType.channel, name: 'channel-b', read: true, write: true)
..add(ResourceType.channel, name: 'channel-c', read: true, write: true)
..add(ResourceType.channel, name: 'channel-d', read: true, write: true)
..add(ResourceType.uuid, name: 'uuid-d', get: true, update: true)
..add(ResourceType.channel, pattern: 'channel-[A-Za-z0-9]', read: true);
var token = await pubnub.grantToken(request);
print('grant token = $token');
$pubnub->grantToken()
->ttl(15)
->authorizedUuid('my-authorized-uuid')
->addChannelResources([
'channel-a' => ['read' => true],
'channel-b' => ['read' => true, 'write' => true],
'channel-c' => ['read' => true, 'write' => true],
'channel-d' => ['read' => true, 'write' => true],
])
->addChannelGroupResources([
'channel-group-b' => ['read' => true],
])
->addUuidResources([
'uuid-c' => ['get' => true],
'uuid-d' => ['get' => true, 'update' => true],
pubnub.grant_token(
ttl: 15,
authorized_uuid: "my-authorized-uuid",
channels: {
"channel-a": Pubnub::Permissions.res(
read: true
),
"channel-b": Pubnub::Permissions.res(
read: true,
write: true
),
"channel-c": Pubnub::Permissions.res(
read: true,
write: true
),
Token size limits
Since a token stores all access mappings, its size increases with the number of embedded permissions. The token size can impact the overall size of the HTTP request. If your PubNub request, such as publish or subscribe, exceeds 32 KiB, it will fail with the 414 URI Too Long status code response. To keep the token size within limits, use RegEx patterns rather than resource lists to set permissions, and keep the resource naming consistent. For more information, refer to channel naming convention or contact support for assistance.
TTL
The ttl parameter is the number of minutes before the granted permissions expire, at which point the client has to be re-granted the new token. ttl is a required parameter for every grant call and there is no default value set for it.
The minimum system value for ttl is 1 (1 minute) and the maximum value is 43200 (30 days). For security reasons, it's recommended to set ttl between 10 and 60 minutes. If your business case requires ttl to be higher than the allowed limit, contact support for assistance.
RegEx
You can grant an authorized UUID access to channels, channel groups, and metadata of different UUIDs in a single API call. There are two ways for doing that:
- Provide a single resource or a sequence of resources that an authorized UUID should be able to access.
- Grant an authorized UUID access to a pattern-based sequence of UUIDs, channels, or channel groups using regular expressions.
To make a successful grant request, you must specify permissions for at least one UUID, channel, or channel group, either as a resource sequence or as a pattern (RegEx).
Authorized UUID
For a higher level of security, you can specify one top-level authorized UUID in the grant payload. When specified, this UUID will be embedded in the token and returned by the grant request. This ensures that any request to PubNub that uses that token has to come from that authorized UUID. Otherwise, PubNub will reject the request and deny access to the resources.
Authorized UUID vs UUIDs
The grant request body contains the uuids key which defines permissions required to access the other UUIDs' (users') metadata. The UUIDs contained within have nothing to do with the UUID authorized to use the token. To allow a UUID to use a particular token, specify this UUID as an authorized one (authorized_uuid). The value of that parameter must be an instance of a preexisting client's UUID that was set during the initialization of its PubNub object. For more information about setting UUIDs, refer to Identity Management.
Change permissions
Depending on the application's logic, there might be a need to change the user's original permissions. For example, an application may dictate that a user should be added or removed from a channel in certain cases. When this occurs, the server should make a new grant request to PubNub with the updated permissions and ensure that some logic provides the appropriate client(s) with the updated token(s).
Revoke permissions
Enable token revoke
To revoke tokens, you must first enable this feature on the Admin Portal. To do that, navigate to your app's keyset and mark the Revoke v3 Token checkbox in the ACCESS MANAGER section.
Access Manager allows you to disable (revoke) a token. This means that all calls to any PubNub API that use a revoked token will fail with a 403 Revoked Token error. Revoking tokens is particularly useful when you need to quickly remove access to PubNub resources.
You can only revoke a valid token previously obtained through a token grant request. Each revoked token is stored in a deny list (usual charges apply) allowing for quick lookup of revoked tokens.
There are certain constraints to consider when revoking tokens:
- You can only enable the token revoke feature if the token
ttlfor the subkey is less than or equal to 30 days. If thatttlvalue doesn't meet your requirements, contact support. - If support changes your token's
ttlto exceed 30 days, you can disable the token revoke functionality, but can't re-enable it using the Admin Portal. To do that, contact support. - You can only revoke one token per one revoke call, batch revokes aren't supported.
- It may take up to 1 minute for the token revoke request to take effect.
- You can't re-enable a revoked token.
- Node.js
- Python
- Java
- Kotlin
- Go
- C#
- Dart
- PHP
- Ruby
const token = await pubnub.revokeToken("p0AkFl043rhDdHRsple3KgQ3NwY6BDcENnctokenVzcqBDczaWdYIGOAeTyWGJI");
envelope = pubnub.revoke_token("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenV")
.sync()
pubnub.revokeToken()
.token("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenV")
.sync()
pubnub.revokeToken("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenV")
.sync()
res, status, err := pn.RevokeToken()
.Token("p0thisAkFl043rhDdHRsCNlY3JldAFDZ3Jwsample3KgQ3NwY6BDENnctokenV")
.Execute()
PNResult<PNAccessManagerRevokeTokenResult> revokeTokenResponse = await pubnub
.RevokeToken()
.Token("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenV")
.ExecuteAsync();
PNAccessManagerRevokeTokenResult revokeTokenResult = revokeTokenResponse.Result;
PNStatus revokeTokenStatus = revokeTokenResponse.Status;
if (!revokeTokenStatus.Error && revokeTokenResult != null)
{
Console.WriteLine("Revoke token success");
}
else
{
Console.WriteLine(pubnub.JsonPluggableLibrary.SerializeToJsonString(revokeTokenStatus));
}
await pubnub.revokeToken("p0AkFl043rhDdHRsple3KgQ3NwY6BDcENnctokenVzcqBDczaWdYIGOAeTyWGJI");
$pubnub->revokeToken("p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenV")
->sync();
pubnub.revoke_token(token: "p0thisAkFl043rhDdHRsCkNyZXisRGNoYW6hanNlY3JldAFDZ3Jwsample3KgQ3NwY6BDcGF0pERjaGFuoENnctokenV", http_sync: true)
Token caching
For improved operational efficiency, PubNub caches the tokens. During the permissions check, if a token isn't present in the deny list, PubNub will cache this state for up to 1 minute.
If the token was found in the deny list, the system will cache this response for the ttl of the token.
Token expiration
Each time an authenticated request is made to the PubNub server, the server checks if the token embedded in the request is still valid. Each token has a specific ttl and once it expires, it will need to be replaced so that the client can make successful calls to PubNub. If the client sends an expired token, the PubNub server will return a 403 with a respective error message. To change or extend client device access to specific resources, you must grant a new token with modified permissions. To address the token expiration effectively, it's recommended for applications using Access Manager to have a token refresh strategy that would follow one of these approaches:
-
The server maintains a list of expiry times, automatically refreshes soon-to-be-stale tokens, and proactively sends the new token to the clients. Clients should respond to these updates by updating the token in the SDK.
-
Client checks the
ttlwhenever it receives a token and sets a timer to make a refresh request. The server supports a refresh API. -
Client supports the logic that handles
403responses, makes a just-in-time refresh request, updates the SDK upon getting a new token, and retries the request that fails.
Client-side operations
In general, client applications don't generate tokens, but rather call server APIs to obtain tokens. The syntax and implementation of these client and server APIs are up to the developer. This section outlines operations that a client may take after getting a token from the centralized server applications.
Check permissions
Access Manager v3 allows you to decode your permissions by parsing a token. You don't need a secretKey to request token details.
Use this method whenever you want to:
- Debug an issue to diagnose the reason for a failing request that returns a
403. - Inspect privileges embedded in the token to check if you have access to a given resource.
Request token details:
- Node.js
- Python
- Java
- Kotlin
- Swift
- Objective-C
- Go
- C
- Unity
- C#
- Dart
- PHP
- Ruby
pubnub.parseToken("yourToken")
pubnub.parse_token("your_token")
pubnub.parseToken("yourToken")
pubnub.parseToken("yourToken")
pubnub.parse(token: "yourToken")
PNPAMToken *token = [self.client parseAuthToken:@"yourToken"];
NSLog(@"Token permissions: %@", token);
pubnub.ParseToken("YourToken") // Given the "pubnub" package is imported: import (pubnub "github.com/pubnub/go/v5")
char* cbor_data = pubnub_parse_token(<pubnub_context>, "yourToken");
pubnub.ParseToken("yourToken")
pubnub.ParseToken("yourToken")
pubnub.parseToken("yourToken")
$pubnub->parseToken("yourToken");
pubnub.parse_token("yourToken")
See a sample response:
{
"version":2,
"timestamp":1629394579,
"ttl":15,
"authorized_uuid": "user1",
"resources":{
"uuids":{
"user1":{
"read":false,
"write":false,
"manage":false,
"delete":false,
"get":true,
"update":true,
"join":false
Request a new token
When a client makes an API request using a token that has expired or has been revoked, PubNub API will respond with the 403 Token is expired or 403 Token revoked error message. To renew access, the client should include the logic that prompts the server to request a new token to be generated by PubNub. The authorization flow looks similar to the already described login example. In both cases the server first includes the application-specific logic to validate that the request came from an authorized client, and then makes a PubNub token grant request:
After either a login or a token refresh request from the client, the server passes the newly generated token back to the client device, which then needs to update its configuration and set the new token:
- Node.js
- Python
- Java
- Kotlin
- Swift
- Objective-C
- Go
- C
- Unity
- C#
- Dart
- PHP
- Ruby
pubnub.setToken("newToken")
pubnub.set_token("new_token")
pubnub.setToken("newToken")
pubnub.setToken("newToken")
pubnub.set(token: "newToken")
[self.client setAuthToken:@"NewToken"];
pn.SetToken("NewToken")
pubnub.pubnub_set_token(<pubnub_context>, "NewToken")
pubnub.SetToken("newToken")
pubnub.SetAuthToken("newToken")
pubnub.setToken("newToken")
$pubnub->setToken("newToken");
pubnub.set_token("newToken")
Permissions
Access Manager v3 allows permissions to be granted for the following PubNub resources. These are the permission flags allowed for each resource:
| Resource | Available Permissions |
|---|---|
| Channel | read, write, delete, get, update, manage, join |
| Channel Group | read, manage |
| UUID Metadata | get, update, delete |
Operations to permissions mapping
The following tables show the mappings of API operations to resources and permissions.
Pub/Sub
| PubNub Operation | Resource | Permission |
|---|---|---|
| Publish on channel | Channel | Write |
| Signal on channel | Channel | Write |
| Subscribe to channel | Channel | Read |
| Subscribe to presence channel | Presence Channel (-pnpres) | Read |
| Subscribe to channel group | Channel Group | Read |
| Subscribe to presence channel group | Presence Channel Group (-pnpres) | Read |
| Unsubscribe from channel | Channel | None required |
| Unsubscribe from channel group | Channel Group | None required |
Presence
| PubNub Operation | Resource | Permission |
|---|---|---|
| Here Now | Channel | Read |
| Where Now | Channel | none required |
| Get State | Channel | Read |
| Set State | Channel | Read |
Message Persistence
| PubNub Operation | Resource | Permission |
|---|---|---|
| History - Fetch Messages | Channel | Read |
| Message Counts | Channel | Read |
| Delete Messages | Channel | Delete |
File Sharing
| PubNub Operation | Resource | Permission |
|---|---|---|
| Send file on channel | Channel | Write |
| List files | Channel | Read |
| Download file | Channel | Read |
| Delete file | Channel | Delete |
Channel groups
| PubNub Operation | Resource | Permission |
|---|---|---|
| Add Channels to channel group | Channel Group | Manage |
| Remove Channels from channel group | Channel Group | Manage |
| List Channels in channel group | Channel Group | Manage |
| Remove channel group | Channel Group | Manage |
App Context
| PubNub Operation | Resource | Permission |
|---|---|---|
| Set user metadata | UUID | Update |
| Delete user metadata | UUID | Delete |
| Get user metadata | UUID | Get |
| Get all user metadata | UUID | Managed by the Disallow Get All User Metadata option in the App Context configuration on the Admin Portal.When this option is unchecked, and Access Manager is enabled in an app, you can get metadata of all users without the need to define that in the permissions schema included in the authentication token. |
| Set channel metadata | Channel | Update |
| Delete channel metadata | Channel | Delete |
| Get channel metadata | Channel | Get |
| Get all channel metadata | Channel | Managed by the Disallow Get All Channel Metadata option in the App Context configuration on the Admin Portal.When this option is unchecked, and Access Manager is enabled in an app, you can get metadata of all channels without the need to define that in the permissions schema included in the authentication token. |
| Set channel members | Channel | Manage |
| Remove channel members | Channel | Manage |
| Get channel members | Channel | Get |
| Set channel memberships | Channel, UUID | Channels: Join UUID: Update |
| Remove channel memberships | Channel, UUID | Channels: Join UUID: Update |
| Get channel memberships | UUID | Get |
Mobile Push Notifications
| PubNub Operation | Resource | Permission |
|---|---|---|
| Register channel for push | Channel | Read |
| Remove channel's push registration | Channel | Read |
Message Reactions
| PubNub Operation | Resource | Permission |
|---|---|---|
| Add Message Action | Channel | Write |
| Remove Message Action | Channel | Delete |
| Get Message Actions | Channel | Read |
| Get History with Actions | Channel | Read |