Authentication
Ably clients can authenticate with Ably in one of two ways. They can use Basic Authentication or Token Authentication. Basic Authentication makes use of the customer’s API key) to connect with Ably. Token Authentication requires a server to provide an Ably Token, an Ably TokenRequest
, an Ably JWT, or an External JWT with an embedded Ably-compatible token to the client. Token Authentication, in most cases, is the recommended strategy due to it providing robust access control and stringent security measures.
Understanding the Ably authentication schemes
This page of documentation is intended to describe the Realtime Authentication API and is not intended to explain in depth how Ably’s authentication works. If you are new to Ably and/or the authentication schemes, we strongly recommend that you get acquainted with the following first:
- Getting started with Ably’s authentication
- Selecting the right authentication scheme
- Basic Authentication explained
- Token Authentication explained
Tutorials
If you’re the kind of person who prefers to dive into code, we have client-server authentication tutorials.
Basic Authentication
Basic Authentication uses one of the api keys configured via the application dashboard as the authentication token. Basic Authentication is the simplest method to use but has some important limitations described in detail in the Basic Authentication documentation.
Here is a straightforward example of using Basic Authentication to connect to Ably:
var realtime = new Ably.Realtime({ key: 'xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk' });
var realtime = new Ably.Realtime({ key: 'xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk' });
realtime = Ably::Realtime.new(key: 'xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk')
ClientOptions options = new ClientOptions();
options.key = "xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk";
AblyRealtime realtime = new AblyRealtime(options);
let realtime = ARTRealtime(key: "xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk")
ARTRealtime *realtime = [[ARTRealtime alloc] initWithKey:@"xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk"];
AblyRealtime realtime = AblyRealtime("xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk");
Token Authentication
Look at the general authentication documentation for more in-depth information on Token Authentication.
Token Authentication uses an Ably-compatible token to authenticate with Ably. This can be an Ably Token obtained via the REST API requestToken
RequestToken
request_token
endpoint, an Ably JWT signed by your API key, or an External JWT object with an embedded Ably-compatible token. Tokens are authentication credentials that are short-lived, and therefore they may more readily be distributed to clients where there is a risk of compromise. Tokens may also be issued with a particular scope – such as a limited set of access rights or capabilities or being limited to use by a specific clientId
ClientId
identity – and therefore token-based authentication provides the flexibility to implement access and identity control policies in the application. See the Token Authentication documentation for more details. To initialize the Realtime library to a previously obtained Ably Token
or Ably JWT
, set the :token
or :token_details
token
or token_details
Token
or TokenDetails
token
or tokenDetails
attribute of ClientOptions
to said token.
Below is a rather contrived yet straightforward example that instances a Realtime library using Token Authentication with a means to reissue tokens as required. Typically, in a browser environment, the authUrl
AuthUrl
provided would be a relative URL to a local endpoint that is used to issue tokens to trusted clients. Client requests can, for example, be trusted based on session cookies. For non-browser clients, an authentication callback is preferred thus relying on your application to communicate securely with your own servers to obtain a token.
var realtime = new Ably.Realtime({ authUrl: 'http://my.website/auth' });
var realtime = new Ably.Realtime({ authUrl: 'http://my.website/auth' });
realtime = Ably::Realtime.new(auth_url: 'http://my.website/auth')
ClientOptions options = new ClientOptions();
options.authUrl = "http://my.website/auth";
AblyRealtime realtime = new AblyRealtime(options);
ARTClientOptions *options = [[ARTClientOptions alloc] init];
options.authUrl = [NSURL URLWithString:@"http://my.website/auth"];
ARTRealtime *realtime = [[ARTRealtime alloc] initWithOptions:options];
let options = ARTClientOptions()
options.authUrl = NSURL(string: "http://my.website/auth")
let realtime = ARTRealtime(options: options)
ClientOptions options = new ClientOptions();
options.AuthUrl = new Uri("http://my.website/auth");
AblyRealtime realtime = new AblyRealtime(options);
Selecting an authentication mechanism
When deciding on which authentication method you will be using, it is recommended to bear in mind the principle of least privilege: a client should ideally only possess the credentials and rights that it needs to accomplish what it wants; this way, if the credentials are compromised, the rights that can be abused by an attacker are minimized.
The table below should be used as a rough guide as to what you should consider when choosing your authentication method. Many applications will most naturally use a mixed strategy: one or more trusted application servers will use basic authentication to access the service and issue tokens over HTTPS, whereas remote browsers and devices will use individually issued tokens:
Identified clients
When a client is authenticated and connected to Ably, they are considered to be an authenticated client. However, whilst an authenticated client has a verifiable means to authenticate with Ably, they do not necessarily have an identity. When a client is assigned a trusted identity (i.e. a client_id
ClientId
clientId
), then they are considered to be an identified client and for all operations they perform with the Ably service, their client_id
ClientId
clientId
field will be automatically populated and can be trusted by other clients.
We encourage customers to always issue tokens to clients so that they authenticate using the short-lived token and do not have access to a customer’s private API keys. Since the customer can then control the client_id
ClientId
clientId
that may be used by any of its clients, all other clients can rely on the validity of the client_id
ClientId
clientId
in published messages and of members present in presence channels.
The following example demonstrates how to issue an Ably TokenRequest
with an explicit client_id
ClientId
clientId
that, when used by a client, will then be considered an identified client.
var realtime = new Ably.Realtime({ key: 'xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk' });
realtime.auth.createTokenRequest({ clientId: 'Bob' }, function(err, tokenRequest) {
/* ... issue the TokenRequest to a client ... */
})
var realtime = new Ably.Realtime({ key: 'xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk' });
realtime.auth.createTokenRequest({ clientId: 'Bob' }, function(err, tokenRequest) {
/* ... issue the TokenRequest to a client ... */
})
realtime = Ably::Realtime.new(key: 'xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk')
realtime.auth.createTokenRequest(client_id: 'Bob') do |token_request|
# ... issue the TokenRequest to a client ...
end
ClientOptions options = new ClientOptions();
options.key = "xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk";
AblyRealtime realtime = new AblyRealtime(options);
TokenParams tokenParams = new TokenParams();
tokenParams.clientId = "Bob";
TokenRequest tokenRequest;
tokenRequest = realtime.auth.createTokenRequest(tokenParams, null);
/* ... issue the TokenRequest to a client ... */
AblyRealtime realtime = new AblyRealtime("xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk");
TokenParams tokenParams = new TokenParams {ClientId = "Bob"};
string tokenRequest = await realtime.Auth.CreateTokenRequestAsync(tokenParams);
/* ... issue the TokenRequest to a client ... */
ARTRealtime *realtime = [[ARTRealtime alloc] initWithKey:@"xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk"];
ARTTokenParams *tokenParams = [[ARTTokenParams alloc] initWithClientId:@"Bob"];
[realtime.auth createTokenRequest:tokenParams options:nil
callback:^(ARTTokenRequest *tokenRequest NSError *error) {
// ... issue the TokenRequest to a client ...
}];
let realtime = ARTRealtime(key: "xVLyHw.vZMWGQ:ubjzJ11j3pFuPbse-GolIzDrOzQ_OiH_5pTaY9asUNk")
let tokenParams = ARTTokenParams(clientId: "Bob")
realtime.auth.createTokenRequest(tokenParams, options: nil) { tokenRequest, error in
// ... issue the TokenRequest to a client ...
}
API Reference
View the Authentication API Reference.