In order to authenticate a user connecting to a OpenTok session, a user's page must pass a token along with the API key. You generate a token for each user connecting to an OpenTok session. For more information on connecting, see the documentation on joining a session: OpenTok.js, Android, iOS.
Each token is assigned a role, which determine the capabilities of the client that connects with a token. There are three roles:
OpenTok tokens expire after a set period of time (up to 30 days). You can specify the expiration period when you generate the token.
For each token, you can add a string containing metadata describing the client. For example, you can pass the user ID, name, or other data describing the client. You may obtain this data from a server-side database or from data provided to you by the client, depending on your application. The length of the string is limited to 1000 characters. This data cannot be updated once it is set.
Do not use personal information in token data — token metadata is passed to all users in the session and is also readable through the OpenTok client logs, so you should never use unencrypted sensitive or personal information in the token data. See security best practices.
The OpenTok client libraries include properties for inspecting the connection data for a client connected to a session.
Tokens are cheap to generate. They are generated just with a hashing function and your secret. There is no API call to our servers used when generating a token. We recommend:
While working on a test version of your app, you can obtain a test token on a Project Page of your Video API account. However, in a final production version of an app, you will want to use one of the OpenTok server-side libraries, not the Project Page, to generate tokens: