The web service also creates a token that the client uses to connect to the OpenTok session. The HTTP GET request to the /session endpoint returns a response that includes the OpenTok session ID and token.
You will want to authenticate each user (using your own server-side authentication techniques) before sending an OpenTok token. Otherwise, malicious users could call your web service and use tokens, causing streaming minutes to be charged to your OpenTok developer account. Also, it is a best practice to use an HTTPS URL for the web service that returns an OpenTok token, so that it cannot be intercepted and misused.