Update the token-based authentication mechanism

If you integrate the Chat SDK and Agora Video SDK at the same time, Agora recommends you update the token-based authentication mechanism from AccessToken to AccessToken2.

This document uses the JAVA server and the Web client as examples to guide you how to build and update the token-based authentication mechanism step-by-step.

Prerequisites

You have built a token server based on Spring Framework and a Web client using Chat according to Authenticate Your Users with Tokens.
You have added the Video SDK Token service based on AccessToken to the token server of Chat. To do this, in AgoraChatTokenController.java file, import the RtcTokenBuilder with import com.agora.chat.token.io.agora.media.RtcTokenBuilder; and add the following method:

_24// Generate <Vg k="VSDK" /> AccessToken _24@GetMapping("/rtc/{rtcChannelName}/{rtcUserId}/{role}/token") _24public String getRtcToken(@PathVariable String rtcChannelName, @PathVariable int rtcUserId, @PathVariable int role) { _24 _24 if (!StringUtils.hasText(appid) || !StringUtils.hasText(appcert)) { _24 return "appid or appcert is empty"; _24 } _24 _24 RtcTokenBuilder builder = new RtcTokenBuilder(); _24 _24 RtcTokenBuilder.Role rtcRole; _24 _24 switch(role) { _24 case 1: _24 default: _24 rtcRole = RtcTokenBuilder.Role.Role_Publisher; _24 break; _24 case 2: _24 rtcRole = RtcTokenBuilder.Role.Role_Subscriber; _24 break; _24 } _24 _24 return builder.buildTokenWithUid(appid, appcert, rtcChannelName, rtcUserId, rtcRole, expire); _24}
You have added the authentication logic to the client using the using the Video SDK. To do this, create a agoraRtcTokenClient folder with the following two files:
- index.html ：
  
  _12<html> _12 _12 <head> _12 <title>Token demo</title> _12 </head> _12 _12<body> _12 <h1>Token demo</h1> _12 <script src="https://download.agora.io/sdk/release/AgoraRTC_N.js"></script> _12 <script src="./client.js"></script> _12 </body> _12</html>
- client.js. Replace <Your app ID> with your App ID.
  
  _96var rtc = { _96 // For the local audio and video tracks. _96 localAudioTrack: null, _96 localVideoTrack: null, _96}; _96 _96var options = { _96 // Pass your App ID here. _96 appId: "<Your app ID>", _96 // Set the channel name. _96 channel: "ChannelA", _96 // Set the user role as host (who can both send and receive streams) or audience (who can only receive streams). _96 role: "host", _96}; _96 _96// Fetch a token from the sever. _96function fetchToken(uid, channelName, tokenRole) { _96 _96url = 'http://localhost:8090/rtc/' + channelName + '/' + uid + '/' + tokenRole + '/' + 'token' _96 _96return new Promise(function (resolve) { _96 _96 fetch(url) _96 .then(res => res.text()) _96 .then((token => { resolve(token); })) _96 _96}) _96 .catch(function (error) { _96 console.log(error); _96 }); _96} _96 _96async function startBasicCall() { _96 const client = AgoraRTC.createClient({ mode: "live", codec: "vp9" }); _96 client.setClientRole(options.role); _96 const uid = 123456; _96 _96 // Fetch a token before calling join to join a channel. _96 let token = await fetchToken(uid, options.channel, 1); _96 _96 await client.join(options.appId, options.channel, token, uid); _96 rtc.localAudioTrack = await AgoraRTC.createMicrophoneAudioTrack(); _96 rtc.localVideoTrack = await AgoraRTC.createCameraVideoTrack(); _96 await client.publish([rtc.localAudioTrack, rtc.localVideoTrack]); _96 const localPlayerContainer = document.createElement("div"); _96 localPlayerContainer.id = uid; _96 localPlayerContainer.style.width = "640px"; _96 localPlayerContainer.style.height = "480px"; _96 document.body.append(localPlayerContainer); _96 _96 rtc.localVideoTrack.play(localPlayerContainer); _96 _96 console.log("publish success!"); _96 _96 client.on("user-published", async (user, mediaType) => { _96 await client.subscribe(user, mediaType); _96 console.log("subscribe success"); _96 _96 if (mediaType === "video") { _96 const remoteVideoTrack = user.videoTrack; _96 const remotePlayerContainer = document.createElement("div"); _96 remotePlayerContainer.textContent = _96 "Remote user " + user.uid.toString(); _96 remotePlayerContainer.style.width = "640px"; _96 remotePlayerContainer.style.height = "480px"; _96 document.body.append(remotePlayerContainer); _96 remoteVideoTrack.play(remotePlayerContainer); _96 } _96 _96 if (mediaType === "audio") { _96 const remoteAudioTrack = user.audioTrack; _96 remoteAudioTrack.play(); _96 } _96 _96 client.on("user-unpublished", (user) => { _96 const remotePlayerContainer = document.getElementById(user.uid); _96 remotePlayerContainer.remove(); _96 }); _96 }); _96 _96 // When token-privilege-will-expire occurs, fetch a new token from the server and call renewToken to renew the token. _96 client.on("token-privilege-will-expire", async function () { _96 let token = await fetchToken(uid, options.channel, 1); _96 await client.renewToken(token); _96 }); _96 _96 // When token-privilege-did-expire occurs, fetch a new token from the server and call join to rejoin the channel. _96 client.on("token-privilege-did-expire", async function () { _96 console.log("Fetching the new Token"); _96 let token = await fetchToken(uid, options.channel, 1); _96 console.log("Rejoining the channel with new Token"); _96 await rtc.client.join(options.appId, options.channel, token, uid); _96 }); _96} _96 _96startBasicCall();
To test the AccessToken server, open index.html with a supported browser to perform the following actions:
- Successfully joining a channel.
- Renewing a token every 10 seconds.

Implementation

To upgrade your authentication mechanism to AccessToken 2, use the following procedure.

Upgrade the token server to AccessToken2

This section shows you how to upgrade the token server to AccessToken2.

Import RtcTokenBuilder2 with the following code:

_1import com.agora.chat.token.io.agora.media.RtcTokenBuilder2;
Replace the code for getRtcToken method with the following logic:

_23// Generate <Vg k="VSDK" /> AccessToken2 _23public String getRtcToken(@PathVariable String rtcChannelName, @PathVariable int rtcUserId, @PathVariable int role) { _23 _23 if (!StringUtils.hasText(appid) || !StringUtils.hasText(appcert)) { _23 return "appid or appcert is empty"; _23 } _23 _23 RtcTokenBuilder2 builder = new RtcTokenBuilder2(); _23 _23 RtcTokenBuilder2.Role rtcRole; _23 _23 switch(role) { _23 case 1: _23 default: _23 rtcRole = RtcTokenBuilder2.Role.ROLE_PUBLISHER; _23 break; _23 case 2: _23 rtcRole = RtcTokenBuilder2.Role.ROLE_SUBSCRIBER; _23 break; _23 } _23 _23 return builder.buildTokenWithUid(appid, appcert, rtcChannelName, rtcUserId, rtcRole, expire); _23}

No extra action is required for the client to get compatible with AccessToken2.

Test the AccessToken2 server

Open index.html with a supported browser to perform the following actions:

Successfully joining a channel.
Renewing a token every 10 seconds.

Reference

This section introduces token generator libraries, version requirements, and related documents about AccessToken2.

SDK compatibility for AccessToken2

AccessToken2 supports the following versions of the Agora Video SDK：

SDK	First SDK version to support AccessToken2
Video SDK Native SDK	3.5.2
Video SDK ELectron SDK	3.5.2
Video SDK Unity SDK	3.5.2
Video SDK React Native SDK	3.5.2
Video SDK Flutter SDK	4.2.0
Video SDK Web SDK	4.8.0
Video SDK WeChat Mini Program SDK	Not supported

Video SDK SDKs that use AccessToken2 can interoperate with Video SDK SDKs that use AccessToken. Also, the Video SDK that supports AccessToken2 also supports AccessToken.

If you use other Video SDK extentions, such as Agora Cloud Recording and Media Push, contact support@agora.io for technical support before upgrading to AccessToken2.

Token generator libraries

Agora provides an open-source AgoraDynamicKey repository on GitHub, which enables you to generate AccessToken2 on your server with programming languages such as C++, Java, and Go.

Language	Algorithm	Core Method	Sample Code
C++	HMAC-SHA256	buildTokenWithUid	RtcTokenBuilder2Sample.cpp
Go	HMAC-SHA256	buildTokenWithUid	sample.go
Java	HMAC-SHA256	buildTokenWithUid	RtcTokenBuilder2Sample.java
Node.js	HMAC-SHA256	buildTokenWithUid	RtcTokenBuilder2Sample.js
PHP	HMAC-SHA256	buildTokenWithUid	RtcTokenBuilder2Sample.php
Python	HMAC-SHA256	buildTokenWithUid	RtcTokenBuilder2Sample.py
Python3	HMAC-SHA256	buildTokenWithUid	RtcTokenBuilder2Sample.py

API reference

Taking Java as an example, this section introduces the parameters and descriptions for the method to generate an AccessToken2.

public String buildTokenWithUid(String appId, String appCertificate, String channelName, int uid, Role role, int expire)

Parameter	Description
`appId`	The App ID of your Agora project.
`appCertificate`	The App Certificate of your Agora project.
`channelName`	The channel name. The string length must be less than 64 bytes. Supported character scopes are: All lowercase English letters: a to z. All upper English letters: A to Z. All numeric characters: 0 to 9. The space character. Punctuation characters and other symbols, including: "!", "#", "$", "%", "&", "(", ")", "+", "-", ":", ";", "<", "=", ".", ">", "?", "@", "[", "]", "^", "_", " , ", "\|", "~", ",".
`uid`	The user ID of the user to be authenticated. A 32-bit unsigned integer with a value range from 1 to (2³² - 1). It must be unique. Set `uid` as 0, if you do not want to authenticate the user ID, that is, any `uid` from the app client can join the channel.
`role`	The privilege of the user, either as a publisher or a subscriber. This parameter determines whether a user can publish streams in the channel. `ROLE_PUBLISHER(1)`: (default) The user has the privilege of a publisher, that is, the user can publish streams in the channel. `ROLE_SUBSCRIBER(2)`: The user has the privilege of a subscriber, that is, the user can only subscribe to streams, not publish them, in the channel. This value takes effect only if you have enabled co-host authentication. For details, see Enable co-host authentication.
`expire`	The Unix timestamp (in seconds) when an AccessToken expires. Set this parameter as the current timestamp plus the valid period of AccessToken2. For example, if you set `expire` as the current timestamp plus 600, the AccessToken2 expires in 10 minutes. An AccessToken2 is valid for 24 hours at most. If you set it to a period longer than 24 hours, the AccessToken2 is still valid for 24 hours.

API for privilege-level expiration configuration

To facilitate privilege-level configuration in a channel, Agora provides an overloaded method to support configuring the expiration of the AccessToken2 and related privileges:

Join a channel
Publish audio
Publish video
Publish data stream

Take Java as an example:

public String buildTokenWithUid(String appId, String appCertificate, String channelName, int uid, int tokenExpire, int joinChannelPrivilegeExpire, int pubAudioPrivilegeExpire, int pubVideoPrivilegeExpire, int pubDataStreamPrivilegeExpire)

This method generates an Video SDK AccessToken2 and supports configuring the following privileges:

The expiration time of AccessToken2
Joining an Video SDK channel
Publishing audio in an Video SDK channel
Publishing video in an Video SDK channel
Publishing data stream in an Video SDK channel

The privileges of publishing audio in an Video SDK channel, publishing video in an Video SDK channel, and publishing data stream in an Video SDK channel only take effect after enabling co-host authentication.

You can assign multiple privileges to a user. The maximum valid period of each privilege is 24 hours. When a privilege is about to expire or has expired, the Video SDK triggers the onTokenPriviegeWillExpire callback or the onRequestToken callback. You need to take the following actions in your own app logic:

Tag the type of privilege which is about to expire or has expired in your app logic.
The app fetches a new AccessToken2 from the token server.
The SDK calls renewToken to renew the AccessToken2, or joinChannelto rejoin the channel.

You need to set an appropriate expiration timestamp. For example, if the expiration time of joining a channel is earlier than that of publishing audio in the channel, when the privilege of joining a channel expires, the user is kicked out of the Video SDK channel. Even if the privilege of publishing audio is still valid, the privilege does not mean anything for the user.

Parameter	Description
`tokenExpire`	Number of seconds passed from the generation of AccessToken2 to the expiration of AccessToken2. Set this parameter as the current timestamp plus the valid period of AccessToken2. For example, if you set `tokenExpire` as the current timestamp plus 600, the AccessToken2 expires in 10 minutes. An AccessToken2 is valid for 24 hours at most. If you set it to 0 or a period longer than 24 hours, the AccessToken2 is still valid for 24 hours.
`joinChannelPrivilegeExpire`	Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of joining a channel. Set this parameter as the current timestamp plus the valid period of the privilege of joining a channel. For example, if you set `joinChannelPrivilegeExpire` as the current timestamp plus 600, the privilege expires 10 minutes after generation.
`pubAudioPrivilegeExpire`	Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of publishing audio in a channel. Set this parameter as the current timestamp plus the valid period of publishing audio in a channel. For example, if you set `pubAudioPrivilegeExpire` as the current timestamp plus 600, the privilege expires 10 minutes after generation. If you do not want to enable this privilege, set this parameter to the current timestamp.
`pubVideoPrivilegeExpire`	Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of publishing video in a channel. Set this parameter as the current timestamp plus the valid period of publishing video in a channel. For example, if you set `pubVideoPrivilegeExpire` as the current timestamp plus 600, the privilege expires 10 minutes after generation. If you do not want to enable this privilege, set this parameter to the current timestamp.
`pubDataStreamPrivilegeExpire`	Number of seconds passed from the generation of AccessToken2 to the expiration of the privilege of publishing data stream in a channel. Set this parameter as the current timestamp plus the valid period of publishing video in a channel. For example, if you set `pubDataStreamPrivilegeExpire` as the current timestamp plus 600, the privilege expires 10 minutes after generation. If you do not want to enable this privilege, set this parameter to the current timestamp.

Enable co-host authentication

Refer to the following steps to enable this function in Agora Console:

Log on to Agora Console. Under Projects, choose a project for which you want to enable co-host authentication, click the Edit icon, and enter the Edit Project page.
In the Features area, click Enable authentication.
Follow the on-screen instructions to know more about this function, check the box, and click Enable.

Co-host authentication takes effect in 5 minutes.

Once you have enabled co-host authentication, a user using your app must meet both of the following requirements to publish streams in a channel:

The role in setClientRole is set as "BROADCASTER".
The role in the code for generating tokens is set as ROLE_PUBLISHER.