In order to authenticate a user connecting to a OpenTok session, a user's page must pass a token along with the API key.
You generate a token for each user connecting to an OpenTok session. For more
information on connecting, see the documentation on joining a session:
OpenTok.js,
Android,
iOS.
Roles
Each token is assigned a role, which determine the capabilities of the client that connects with a token.
There are three roles:
-
Subscriber — Clients that connect with a subscriber token can connect to the session and subscribe
to other clients' streams. They cannot publish their own streams to a session.
-
Publisher — Clients that connect with a publisher token can connect to the session, publish audio-video
streams to the session, and subscribe to other clients' streams.
-
Publisher-only — Clients that connect with a publisher-only token can connect to the session and publish audio-video streams to the session,
but they cannot subscribe to other clients' streams. Additionally,
clients that connect with a publisher-only token are restricted from
[sending signals](.
Note: Currently,
creating publisher-only tokens is supported in the OpenTok Node, OpenTok Java, and OpenTok Ruby SDK.
-
Moderator — In addition to publishing and subscribing to streams, moderators
connected in a client using OpenTok.js can force other clients to disconnect from the session or to
stop publishing audio-video streams. (Any client can be forced to disconnect or stop
publishing, but only a moderator using OpenTok.js can perform these moderation functions.)
Additionally, moderators connected in any of the OpenTok client SDKs can force one or more
streams in the session to mute published audio. See
Moderation.
Expiration dates
OpenTok tokens expire after a set period of time (up to 30 days). You can specify the expiration
period when you generate the token.
Connection data
For each token, you can add a string containing metadata describing the client. For example, you
can pass the user ID, name, or other data describing the client. You may obtain this data from a
server-side database or from data provided to you by the client, depending on your application.
The length of the string is limited to 1000 characters. This data cannot be updated once it is
set.
Do not use personal information in token data — token metadata
is passed to all users in the session and is also readable through the OpenTok client logs, so you should
never use unencrypted sensitive or personal information in the token data. See security best practices.
The OpenTok client libraries include properties for inspecting the connection data for a client
connected to a session.
Best practices when generating tokens
Tokens are cheap to generate. They are generated just with a hashing function and your secret.
There is no API call to our servers used when generating a token. We recommend:
-
Generating a new token for every user at the time they try to connect. Tokens have an
expiration time, which by default is 24 hours after the token is created. After the
expiration time, you cannot use the token to connect to the session.
-
Not storing tokens or trying to reuse them.
-
Using connection data to identify users. Connection data is a secure way to store
information about your users (such as a user ID, which can help you identify your users in
your application).
Generating tokens
While working on a test version of your app, you can obtain a test token on a Project Page of
your Video API account. However, in a final production version of an app,
you will want to use one of the OpenTok server-side libraries, not the Project Page, to generate tokens:
Thank you for your feedback!
We appreciate it.
If you need an answer to a question or help with an issue, contact our support team.