Secure your classrooms
Security and compliance are essential for real-time engagements through technology. In order to provide safe and reliable cloud services, Agora adheres to the compliance requirements of different countries, regions, and industries.
Agora Flexible Classroom is designed and built with multiple protection measures against attacks commonly seen in the real-time engagement industry. This page describes some of the security best practices that Agora Flexible Classroom has adopted, as well as security tools it provides for developers, as follows:
| Protection measures | Applied by default | Recommended scenarios |
|---|---|---|
| Classroom separation | Yes | All real-time scenarios. |
| Token authentication | No | All real-time apps must use token-based end user authentication. |
| Data encryption and storage | Yes | Real-time scenarios that require confidentiality. |
| Network geofencing | No | Real-time scenarios where customers wish to restrict access to Agora servers to within a specified region. |
Classroom separation
Agora creates independent and isolated classrooms for audio, video, or messaging data transmission with the room ID specified by the app developer. All classrooms are logically separated and only authenticated users from the same Agora App ID can join the same classroom.
Token authentication
Agora Flexible Classroom uses the Signaling token for end user authentication. The Signaling token is an access key with the expiration time of 24 hours. It is generated by the app backend with important information such as the Agora App ID, user ID (uid), and channel name. It allows end users to access the Agora platform after the user is properly validated by the app.
The app developer can enable token authentication (App Certificate) in Agora Console. When enabled, all user’s request to join a classroom must be done with a valid Signaling token.
- For more information on how to enable Signaling token authentication, see Secure authentication with tokens.
- For how to generate a Signaling token on the app backend, see Secure authentication with tokens.
Data encryption and storage
To guarantee data confidentiality during transmission, Agora Flexible Classroom uses the TLS (Transport Layer Security) and Secure Sockets Layer (SSL) encryption protocols.
Agora Flexible Classroom does not store any of your business data or user data except for caching them for transmission purpose. The cached data will be released an hour after the classroom ends. Agora Flexible Classroom supports uploading files and real-time recording in a classroom. The uploaded class files and recorded files are stored in the third-party cloud storage designated by the app developer. These features are disabled by default. Only after the app developer enables these features and specifies a third-party cloud storage in Agora Console, can authenticated users access the services and the stored resources.
Network geofencing
To conform to the laws and regulations of different countries and regions, Agora Flexible Classroom supports network geofencing, which limits the transmission of data to within a specified region.
Agora Flexible Classroom sets up the following four regions and supports the network geofencing in the following regions:
| Data center | Location | Service region |
|---|---|---|
CN | Shanghai, China | Mainland China |
AP | Singapore | Asia Pacific |
EU | Frankfurt, Germany | Europe |
NA | Silicon Valley, US | North America |
Agora Flexible Classroom implements network geofencing in each server-side RESTful API as well as all client-side Classroom SDKs. The app developer can specify a region when calling the RESTful APIs or launching a classroom.
With network geofencing enabled, data transfer will be restricted to the service regions that your specified data center covers. However, in some cases cross-region data transfer may be needed. For example, a teacher joins a flexible room in Europe, but the students are located in North America. For the teacher to interact with these students, it must be allowed to transmit the data to regions outside Europe. In such cases, Agora Flexible Classroom can support cross-region data transfer under your permissions.
Security best practice checklist
Use this list to quickly check what measures you have or have not taken to best protect the security of your app and users:
- Enable token authentication in Agora Console.
- Disable No certificate in your project management page. Once it is done your app authenticates users with tokens only.
- Deploy an Signaling token server in your backend services.
- Protect the token server and only allow the app backend server to connect to the token server.
- For additional security, you can also do the following:
- Set the classroom ID to a one-time random string managed by your app.
- Set the user ID to a one-time random string that is mapped to the user on the app level. Do not use the users' real ID on your app as the user ID in Agora services.