Secure authentication with tokens
Authentication is the act of validating the identity of a user before they access a system. Agora uses digital tokens to authenticate users and their privileges before they access Signaling. A token is a string used to verify user privileges when logging in or joining a channel. When a user connects to Agora and passes in the token, the server verifies the user's identity and permissions based on the information in the token.
This page shows you how to set up a token server, and use it to connect securely to Signaling.
Understand the tech
Signaling provides two types of channels:
- Message channels: To join a message channel, you only need to use an RTM token when calling the login method. An RTM token is valid only for the user Id that you use to generate it.
- Stream channels: To join a stream channel, you use an RTC token when calling the join method. An RTC token is valid only for the channel name and the user Id that you used to generate it.
The following figure shows the call flow you implement to create step-up-authentication with Signaling:
To log in to Signaling, your app retrieves an RTM token from the token server in your security infrastructure. Your app then sends this token to Agora SD-RTN™ for authentication. Agora SD-RTN™ validates the token and reads the user and project information stored in the token. To join a stream channel you request an RTC token from the server by supplying a user Id and a channel name. You do not need an authentication token to subscribe to a message channel.
A token contains the following information:
- The App ID of your Agora project
- The user Id of the user to be authenticated
- The stream channel name (RTC token only)
- The Unix timestamp indicating when the token will expire
Prerequisites
Ensure that you have:
-
Integrated the Signaling SDK in your project, and implemented the framework functionality from the SDK quickstart page.
-
The following information from Agora Console:
- App ID: A unique string provided by Agora that identifies your project.
- App certificate: A string generated using Agora Console to enable token authentication. To obtain the App certificate for your project, enable primary certificate.
Implement basic authentication
In the SDK quickstart, the app uses an authentication token obtained from Agora Console to join a channel. In a production environment, your app retrieves this token from a token server.
Token generation code
Agora provides an open source token generator code repository on GitHub. The repository contains code samples, based on the HMAC-SHA256
algorithm, in the following languages to generate tokens on your own server:
Language | Core method | Sample code |
---|---|---|
Go | buildToken | sample.go |
PHP | buildToken | RtmTokenBuilder2Sample.php |
Python 2 | buildToken | RtmTokenBuilder2Sample.py |
Python 3 | buildToken | RtmTokenBuilder2Sample.py |
C++ | buildToken | RtmTokenBuilder2Sample.cpp |
Java | buildToken | RtmTokenBuilder2Sample.java |
Generate a token
This section shows you how to generate an RTM token using Go language AccessToken2 code from the GitHub repository. To use another language refer to the code samples and READMEs in the Github repository. To generate an RTC token refer to Generate an RTC token.
Before proceeding, make sure that you have:
- Installed Go 1.14 or above
- If you are using a Go version lower than 1.16, set the
GO111MODULE
environment variable toon
.
Take the following steps to set up a token generation server:
-
Create a
server.go
file containing the following code. ReplaceYour_App_ID
andYour_App_Certificate
with your app ID and app certificate from Agora Console.Refer to the
BuildToken
API reference for parameter descriptions. -
The
go.mod
file defines the import paths and dependencies. To create this file for your token server, run the following command: -
To install the dependencies, run the following command:
-
To start the server, execute:
This sample server is for development purposes only. It should not be used in a production environment.
Login with a token
To log in to Signaling using an RTM token, fetch a token from your token server and pass it to the SDK by calling login
:
- The user ID and app ID you use to initialize the Signaling client instance must be the same as the user ID and app ID you use on the token server to generate a token.
- When integrating the Signaling SDK into your app, ensure that the app certificate is properly configured. The app certificate serves as a key authentication mechanism between your app and Agora SD-RTN™ to ensure secure and reliable communication.
Join a stream channel using a token
To join a stream channel using a token, fetch an RTC token from your token server and pass it to the SDK when you call join
. For details, refer to the API reference.
Token expiration and renewal
You configure the validity period of an RTM token in your token generator according to your business needs. The maximum validity period of a token is 24 hours. When an RTM token is about to expire, the onTokenPrivilegeWillExpire
callback is triggered 30 seconds before the expiration time. When you receive this callback, retrieve a fresh RTM token from your token server, and call renewToken
to pass the new token to the SDK.
If the token expires, the SDK triggers an onLinkStateEvent
callback and reports the following information:
currentState
:FAILED
operation
:SERVER_REJECT
reason
:Ticket expired
In this scenario, log out of Signaling using the logout
method, retrieve a fresh token, and login
again.
An alternative approach to handling token expiration through the onTokenPrivilegeWillExpire
and onLinkStateEvent
callbacks is to handle expiration proactively. Best practice is to update the token periodically to ensure seamless authentication and uninterrupted operation.
Reference
This section contains content that completes the information on this page, or points you to documentation that explains other aspects to this product.
BuildToken API reference
This section explains the API parameters and descriptions for generating AccessToken2
using Golang as an example:
Parameter | Description |
---|---|
appId | The app ID generated when you create a project in Agora Console. |
appCertificate | Your app certificate. |
userId | The user ID, used to identify a user or device. To differentiate between users and devices, ensure that the userId is globally unique and remains unchanged for the lifetime of the user or device. |
expire | The validity period of the token (in seconds). The maximum validity period is 24 hours. |