Authentication and Tokens

100ms uses two types of JWT tokens to authenticate requests coming from your client apps and backend server.

  • Auth token: Allow end-users (peers) to join rooms with 100ms client SDKs
  • Management token: Authenticate requests to the 100ms server-side REST API

Both tokens can be decoded with JWT utilities, like jwt.io.

Tokens overview

Auth token for client SDKs

100ms client SDKs use auth tokens to join a room.

How to get auth tokens?

  1. No-Code way to get started - Get temporary auth tokens from the dashboard
  2. Auth token server - Programmatically generate auth tokens by setting up an auth token server
  3. Via Room Codes - Get auth tokens by generating unique room codes. Head to Room Code Authentication for more details.

Room Links with Room Codes

Room Codes also come in handy if you want to generate Room Links that can be shared with your users or embedded an as iframe in your application.

Set up your token server

Your app will call the token server, which generates and returns a JWT auth token for the app to join a 100ms room. This ensures the secret credential of your workspace (called app_secret) is not exposed to the client-side. You can also tie it with your internal user authentication: generate auth tokens only when the user is authenticated.

Auth token can be generated with:

  • app_access_key and app_secret: Find these on the dashboard
  • room_id: Unique identifier for the room that the peer wants to join. Get it from the dashboard or in the response of the create room server-side API
  • role: Name of the role that the peer will join as (for example "host")
  • user_id: Your internal identifier, useful to map a 100ms peer object to your internal user object

Sample code

var jwt = require('jsonwebtoken'); var uuid4 = require('uuid4'); var app_access_key = '<app_access_key>'; var app_secret = '<app_secret>'; var payload = { access_key: app_access_key, room_id: '<room_id>', user_id: '<user_id>', role: '<role>', type: 'app', version: 2, iat: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000) }; jwt.sign( payload, app_secret, { algorithm: 'HS256', expiresIn: '24h', jwtid: uuid4() }, function (err, token) { console.log(token); } );

Management token for REST API

100ms uses management tokens to authenticate REST APIs. Use app_access_key and app_secret from the dashboard to create the management token.

The management token is not to be exposed on the client-side.

For the purpose of testing and demo, management token is exposed in the 'Developer' section of the dashboard. The default validity of the generated token is 7 days. New tokens can be generated with custom validity with a maximum validity of 14 days.

Management Token on Dashboard

Our recommendation is to setup your own token server once the testing is complete.

Sample code

var jwt = require('jsonwebtoken'); var uuid4 = require('uuid4'); var app_access_key = '<app_access_key>'; var app_secret = '<app_secret>'; var payload = { access_key: app_access_key, type: 'management', version: 2, iat: Math.floor(Date.now() / 1000), nbf: Math.floor(Date.now() / 1000) }; jwt.sign( payload, app_secret, { algorithm: 'HS256', expiresIn: '24h', jwtid: uuid4() }, function (err, token) { console.log(token); } );

Have a suggestion? Recommend changes ->

Was this helpful?

1234