Basic authentication is the simplest way to authenticate with Ably. It requires passing an API key when instancing an SDK.
The following is an example of using basic authentication:
The process used by Ably SDKs to authenticate with Ably using basic authentication is illustrated in the following diagram:
Ably recommends that basic authentication is only used server-side because of the following potential issues:
- The secret is passed directly by the client to Ably, so it is only permitted for connections that are over TLS, to prevent the key secret being intercepted.
- All of the configured capabilities of the key are implicitly possible in any request, and clients that legitimately obtain this key may then abuse the rights for that key.
- A client that authenticates using an API key can claim any client ID it chooses. Therefore this client ID cannot be trusted to represent the genuine identity of the client. Client IDs should be assigned by the server, once the client’s credentials have been authenticated.