Authentication and Tokens

100ms uses two types of JWT tokens to authenticate requests coming from your client apps and backend server.

  • Auth token: Allow end-users (peers) to join rooms with 100ms client SDKs
  • Management token: Authenticate requests to the 100ms server-side REST API

Both tokens can be decoded with JWT utilities, like jwt.io.

Tokens overview

Auth token for client SDKs

100ms client SDKs use auth tokens to join a room.

How to get auth tokens?

Set up your token server

Your app will call the token server, which generates and returns a JWT auth token for the app to join a 100ms room. This ensures the secret credential of your workspace (called app_secret) is not exposed to the client-side. You can also tie it with your internal user authentication: generate auth tokens only when the user is authenticated.

Auth token can be generated with:

  • app_access_key and app_secret: Find these on the dashboard
  • room_id: Unique identifier for the room that the peer wants to join. Get it from the dashboard or in the response of the create room server-side API
  • role: Name of the role that the peer will join as (e.g. "host")
  • user_id: Your internal identifier, useful to map a 100ms peer object to your internal user object

Sample code

var jwt = require('jsonwebtoken'); var uuid4 = require('uuid4'); var app_access_key = '<app_access_key>'; var app_secret = '<app_secret>'; var payload = { access_key: app_access_key, room_id: '<room_id>', user_id: '<user_id>', role: '<role>', type: 'app', version: 2, iat: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000) }; jwt.sign( payload, app_secret, { algorithm: 'HS256', expiresIn: '24h', jwtid: uuid4() }, function (err, token) { console.log(token); } );

Management token for REST API

100ms uses management tokens to authenticate REST APIs. Use app_access_key and app_secret from the dashboard to create the management token.

The management token is not to be exposed on the client-side.

Sample code

var jwt = require('jsonwebtoken'); var uuid4 = require('uuid4'); var app_access_key = '<app_access_key>'; var app_secret = '<app_secret>'; var payload = { access_key: app_access_key, type: 'management', version: 2, iat: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000) }; jwt.sign( payload, app_secret, { algorithm: 'HS256', expiresIn: '24h', jwtid: uuid4() }, function (err, token) { console.log(token); } );

Have a suggestion? Recommend changes ->

Was this helpful?

1234