100ms Logo

100ms

Docs

Search docs
/

Authentication and Tokens

Introduction

In 100ms, two types of tokens are used to authenticate requests coming from your Client apps and Backend application server into the 100ms platform.

  • App token: To authenticate and allow end-users (peers) to join 100ms rooms. An App Token controls Peer identity and Room permissions in your Real-time video or Interactive live-streaming video application.
  • Management token: To authenticate all the requests to 100ms REST API.

You need to host your server to generate these tokens.

You can set the expiry to both these tokens; if you follow the code samples from this guide, the expiry will be set as 24 hours. However, a best practice is to set the expiry as short as feasible for your application.

App Token

100ms client-side SDKs use App Tokens to authenticate a peer (participant) while joining a room. Generate this token on the server-side and make it available for your client-side apps that use the 100ms SDKs.

  • To create the App Token, use the app_access_key and app_secret from the developer section in your 100ms dashboard.
  • room_id: This is the unique identifier for your room. You can get it from the rooms page in your dashboard or in the response payload of the create room server-side API.
  • user_id: This identifier can be used to map a 100ms peer to your own internal user object for business logic. Specify your internal user identifier as the peer’s user_id. If not available, use any random string.

Code sample: Generate app token

var jwt = require('jsonwebtoken'); var uuid4 = require('uuid4'); var app_access_key = '<app_access_key>'; var app_secret = '<app_secret>'; var payload = { access_key: app_access_key, room_id: '<room_id>', user_id: '<user_id>', role: '<role>', type: 'app', version: 2, iat: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000) }; jwt.sign( payload, app_secret, { algorithm: 'HS256', expiresIn: '24h', jwtid: uuid4() }, function (err, token) { console.log(token); } );

Warning

Your app key and secret carry many privileges, please ensure to keep them secure.

Management Token

100ms uses management tokens to authenticate REST APIs. The service required to generate this token should be hosted on your server. You must use the app_access_key and app_secret from the developer section in your 100ms dashboard to create the management token.

Code sample: Generate management token

var jwt = require('jsonwebtoken'); var uuid4 = require('uuid4'); var app_access_key = '<app_access_key>'; var app_secret = '<app_secret>'; jwt.sign( { access_key: app_access_key, type: 'management', version: 2, iat: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000) }, app_secret, { algorithm: 'HS256', expiresIn: '24h', jwtid: uuid4() }, function (err, token) { console.log(token); } );

Warning

Your app key and secret carry many privileges, please ensure to keep them secure. All requests must be made over HTTPS. Requests made over plain HTTP and without a management token will fail.