Introduction
The Agora Signaling SDK provides two different security keys for authentication: App ID and SignalingToken. The following figure shows the environments in which the security keys are used:
Where:
An App ID can easily be obtained and is used in environments with low-security requirements, such as in a testing environment.
A SignalingToken adds security and is used in environments with high-security requirements, such as in a production environment.
An App Certificate is enabled for the sole purpose of generating a SignalingToken and cannot be used alone. Once an App Certificate is enabled, you can only use the SignalingToken for authentication.
App ID
After signing up at Dashboard, multiple projects can be created. Each project will be assigned a unique App ID. Anyone with your App ID can use it on any Agora SDK. Hence, it is prudent to safeguard the App IDs.
To switch your App ID, you must first call the destroy() function to destroy the current instance.
SignalingToken
Agora recommends using a SignalingToken for added security.
How to Get and Use an App ID
Get an App ID
Each Agora account can create multiple projects, and each project has a unique App ID.
Sign up for a new account at https://dashboard.agora.io/.
Click Add New Project on the Projects page of the dashboard.
Fill in the Project Name and click Submit.
Find the App ID under the created project.
Use an App ID
Access the Agora services by using your unique App ID:
Enter the App ID in the start window to enable voice or video communication in the demo.
Add the App ID to the code when developing the application.
Set the
appIdparameter as the App ID when calling APIs.
How to Get and Use a SignalingToken
Each Agora account can create multiple projects, and each project has a unique App ID and App Certificate. You need to use both the App ID and App Certificate to generate a SignalingToken.
Step 1: Get an App ID
Step 2: Get an App Certificate
Login to https://dashboard.agora.io.
Click Add New Project on the Projects page of the dashboard.
Fill in the Project Name and click Submit. Find the App ID under the created project.
Enable the App Certificate for the project.
Click Edit on the top-right of the project.
Click Enable to the right of the App Certificate. Read About App Certificate before confirming the operation.
Click the ‘eye’ icon to view the App Certificate. You can re-click this icon to hide the App Certificate.
An App Certificate is enabled for the sole purpose of generating a Token and cannot be used alone.
Contact support@agora.io to renew an App Certificate.
Keep the App Certificate on the server, never on any client machine.
It takes about an hour for the App Certificate to take effect after it is enabled.
Once the App Certificate is enabled for a project, a SignalingToken must be used. For example, before enabling the App Certificate, an App ID can be used to join a channel; but once an App Certificate is enabled, a SignalingToken must be used to join a channel.
If your project has integrated Agora’s Signaling SDK, you can use the Signaling Token Debugging Switch under App Certificate.
If App Certificate is not enabled, the Signaling Token Debugging Switch is disabled and you can set the SignalingToken to any value.
If App Certificate is enabled:
The Signaling Token Debugging Switch is on if App Certificate is enabled: You can set the SignalingToken or use
_no_need_tokento skip the setting.If you switch off the Signaling Token Debugging Switch, you can set the SignalingToken but cannot set it to
_no_need_token. Otherwise, you will receive the Signaling error code 206.
Step 3: Integrate the Schema
Use the following algorithm to generate a token (SignalingToken):
Input:
appId = "C5D15F8FD394285DA5227B533302A518" // App ID
appCertificate = "fe1a0437bf217bdd34cd65053fb0fe1d" // App Certificate
expiredTime = "1546271999" // Authorized timestamp
account = "test@agora.io" // The user ID defined by the clientUse the following field names in the sequence:
| Field Name | Type | Length | Description |
|---|---|---|---|
| Version | String | SignalingToken version number, fixed as 1. | |
| App ID | String | 32 | App ID provided by Agora, obtained at https://dashboard.agora.io. |
| Authorized Timestamp | Number | 10 | UTC timestamp represented by the number of seconds elapsed since 1/1/1970. Indicates the exact time when a party can no longer use the Agora service (for example, when someone is forced to leave an ongoing call). |
| Sign | String | 32 | Hex code for the signature. A string calculated by the MD5 algorithm based on inputs including the App Certificate and the following fields:
|
Output:
token = "1:appId:expiredTime:md5(account + appId + appCertificate + expiredTime)"
= "1:C5D15F8FD394285DA5227B533302A518:1546271999:md5(test@agora.ioC5D15F8FD394285DA5227B533302A518fe1a0437bf217bdd34cd65053fb0fe1d1546271999)"
= "1:C5D15F8FD394285DA5227B533302A518:1546271999:5c0ee12fdf2020d0d0fdad04d6395473"The generated token is the SignalingToken used to log in the Agora signaling system for Step 4: Use a SignalingToken.
Agora has provided sample code on GitHub for generating the token.
Step 4: Use a SignalingToken
Before a user requests to log in the Agora signaling system:
The client application requests authentication from your organization’s business server.
The server, upon receiving the request, uses the algorithm provided by Agora to generate a SignalingToken and then passes the SignalingToken back to the client application. The SignalingToken is based on the App Certificate, App ID, and User ID defined by the client, and the Authorized Timestamp.
The client application calls the
loginmethod and is required to set the token parameter as the generated SignalingToken.The Agora server receives the SignalingToken and confirms that the call comes from a legitimate user, then allows the user to access the Agora Signaling System.