The HTTP GET request to the /session endpoint returns a response that includes the OpenTok session ID and token. You can try this by going to this path in your browser:
The token is used by the client to authenticate against the specific OpenTok session. However, it's up to you to decide when it is safe to give to your users.
If you want to provide a free video chat service, then you can provide the token to anyone that uses your app.
On the other hand, if you want to authenticate your users before giving them access (using your own server-side authentication techniques), you will want to provide the token at a resource that is protected. Otherwise, malicious users could call your web service and use tokens, causing streaming minutes to be charged to your OpenTok developer account. As a best practice, be sure to use an HTTPS URL for the web service that returns an OpenTok token, so that it cannot be intercepted and misused.
Next, we'll test out the app, and start understanding how it works.