Secure authentication with tokens

Authentication is the act of validating the identity of a user before they access a system. Agora uses digital tokens to authenticate users and their privileges before they access Signaling. A token is a string used to verify user privileges when logging in or joining a channel. When a user connects to Agora and passes in the token, the server verifies the user's identity and permissions based on the information in the token.

This page shows you how to set up a token server, and use it to connect securely to Signaling.

Understand the tech

Signaling provides two types of channels:

Message channels: To join a message channel, you only need to use an RTM token when calling the login method. An RTM token is valid only for the user Id that you use to generate it.
Stream channels: To join a stream channel, you use an RTC token when calling the join method. An RTC token is valid only for the channel name and the user Id that you used to generate it.

The following figure shows the call flow you implement to create step-up-authentication with Signaling:

token authentication flow

To log in to Signaling, your app retrieves an RTM token from the token server in your security infrastructure. Your app then sends this token to Agora SD-RTN™ for authentication. Agora SD-RTN™ validates the token and reads the user and project information stored in the token. To join a stream channel you request an RTC token from the server by supplying a user Id and a channel name. You do not need an authentication token to subscribe to a message channel.

A token contains the following information:

The App ID of your Agora project
The user Id of the user to be authenticated
The stream channel name (RTC token only)
The Unix timestamp indicating when the token will expire

Prerequisites

Ensure that you have:

Integrated the Signaling SDK in your project, and implemented the framework functionality from the SDK quickstart page.
The following information from Agora Console:
- App ID: A unique string provided by Agora that identifies your project.
- App certificate: A string generated using Agora Console to enable token authentication. To obtain the App certificate for your project, enable primary certificate.

Implement basic authentication

In the SDK quickstart, the app uses an authentication token obtained from Agora Console to join a channel. In a production environment, your app retrieves this token from a token server.

Token generation code

Agora provides an open source token generator code repository on GitHub. The repository contains code samples, based on the HMAC-SHA256 algorithm, in the following languages to generate tokens on your own server:

Language	Core method	Sample code
C++	buildToken	RtmTokenBuilder2Sample.cpp
Go	buildToken	sample.go
Java	buildToken	RtmTokenBuilder2Sample.java
PHP	buildToken	RtmTokenBuilder2Sample.php
Python 2	buildToken	RtmTokenBuilder2Sample.py
Python 3	buildToken	RtmTokenBuilder2Sample.py

Generate a token

This section shows you how to generate an RTM token using Go language AccessToken2 code from the GitHub repository. To use another language refer to the code samples and READMEs in the Github repository. To generate an RTC token refer to Generate an RTC token.

Before proceeding, make sure that you have:

Installed Go 1.14 or above
If you are using a Go version lower than 1.16, set the GO111MODULE environment variable to on.

Take the following steps to set up a token generation server:

Create a server.go file containing the following code. Replace Your_App_ID and Your_App_Certificate with your app ID and app certificate from Agora Console.

package main import ( rtmtokenbuilder "github.com/AgoraIO/Tools/DynamicKey/AgoraDynamicKey/go/src/rtmtokenbuilder2" "fmt" "log" "net/http" "time" "encoding/json" "errors" "strconv" ) type rtm_token_struct struct{ Uid_rtm string `json:"uid"` } var rtm_token string var rtm_uid string // Use RtmTokenBuilder to generate an RTM Token func generateRtmToken(rtm_uid string){ appID := "Your_App_ID" appCertificate := "Your_App_Certificate" // Token expiration time in seconds expireTimeInSeconds := uint32(3600) currentTimestamp := uint32(time.Now().UTC().Unix()) expireTimestamp := currentTimestamp + expireTimeInSeconds result, err := rtmtokenbuilder.BuildToken(appID, appCertificate, rtm_uid, expireTimestamp) if err != nil { fmt.Println(err) } else { fmt.Printf("Rtm Token: %s\n", result) rtm_token = result } } func rtmTokenHandler(w http.ResponseWriter, r *http.Request){ w.Header().Set("Content-Type", "application/json;charset=UTF-8") w.Header().Set("Access-Control-Allow-Origin", "*") w.Header().Set("Access-Control-Allow-Methods", "POST, OPTIONS"); w.Header().Set("Access-Control-Allow-Headers", "*"); if r.Method == "OPTIONS" { w.WriteHeader(http.StatusOK) return } if r.Method != "POST" && r.Method != "OPTIONS" { http.Error(w, "Unsupported method. Please check.", http.StatusNotFound) return } var t_rtm_str rtm_token_struct var unmarshalErr *json.UnmarshalTypeError str_decoder := json.NewDecoder(r.Body) rtm_err := str_decoder.Decode(&t_rtm_str) if (rtm_err == nil) { rtm_uid = t_rtm_str.Uid_rtm } if (rtm_err != nil) { if errors.As(rtm_err, &unmarshalErr){ errorResponse(w, "Bad request. Please check your params.", http.StatusBadRequest) } else { errorResponse(w, "Bad request.", http.StatusBadRequest) } return } generateRtmToken(rtm_uid) errorResponse(w, rtm_token, http.StatusOK) log.Println(w, r) } func errorResponse(w http.ResponseWriter, message string, httpStatusCode int){ w.Header().Set("Content-Type", "application/json") w.Header().Set("Access-Control-Allow-Origin", "*") w.WriteHeader(httpStatusCode) resp := make(map[string]string) resp["token"] = message resp["code"] = strconv.Itoa(httpStatusCode) jsonResp, _ := json.Marshal(resp) w.Write(jsonResp) } func main(){ // Use an int type uid to generate an RTM Token http.HandleFunc("/fetch_rtm_token", rtmTokenHandler) fmt.Printf("Starting server at port 8082\n") if err := http.ListenAndServe(":8082", nil); err != nil { log.Fatal(err) } }

Refer to the BuildToken API reference for parameter descriptions.
The go.mod file defines the import paths and dependencies. To create this file for your token server, run the following command:

go mod init sampleServer
To install the dependencies, run the following command:

go get
To start the server, execute:

go run server.go

Important

This sample server is for development purposes only. It should not be used in a production environment.

To log in to Signaling using an RTM token, fetch a token from your token server and pass it to the SDK by calling loginByToken:

// Fetch a token from your token server

// Log in to Signaling
[rtm loginByToken:@"your_token" completion:^(AgoraRtmCommonResponse * _Nullable response, AgoraRtmErrorInfo * _Nullable errorInfo) {
    if (errorInfo == nil) {
        NSLog(@"login success!!");
    } else {
        NSLog(@"login failed, errorCode %d, reason %@", errorInfo.errorCode, errorInfo.reason);
    }
}];
Copy

Note

The user ID and app ID you use to initialize the Signaling client instance must be the same as the user ID and app ID you use on the token server to generate a token.
When integrating the Signaling SDK into your app, ensure that the app certificate is properly configured in Agora Console. The app certificate serves as a key authentication mechanism between your app and Agora SD-RTN™ to ensure secure and reliable communication.

Join a stream channel using a token

To join a stream channel using a token, fetch an RTC token from your token server and pass it to the SDK when you call joinWithOption. For details, refer to the API reference.

Token expiration and renewal

You configure the validity period of an RTM token in your token generator according to your business needs. The maximum validity period of a token is 24 hours. When an RTM token is about to expire, the tokenPrivilegeWillExpire callback is triggered 30 seconds before the expiration time. When you receive this callback, retrieve a fresh RTM token from your token server, and call renewToken to pass the new token to the SDK.

If the token expires, the SDK triggers an didReceiveLinkStateEvent callback and reports the following information:

currentState: AgoraRtmLinkStateFailed
operation: AgoraRtmLinkOperationServerReject
reason: Ticket expired

In this scenario, log out of Signaling using the logout method, retrieve a fresh token, and loginByToken again.

info

An alternative approach to handling token expiration through the tokenPrivilegeWillExpire and didReceiveLinkStateEvent callbacks is to handle expiration proactively. Best practice is to update the token periodically to ensure seamless authentication and uninterrupted operation.

Reference

This section contains content that completes the information on this page, or points you to documentation that explains other aspects to this product.

BuildToken API reference

This section explains the API parameters and descriptions for generating AccessToken2 using Golang as an example:

func BuildToken(appId string, appCertificate string, userId string, expire uint32) (string, error) {
    token := accesstoken.NewAccessToken(appId, appCertificate, expire)

    serviceRtm := accesstoken.NewServiceRtm(userId)
    serviceRtm.AddPrivilege(accesstoken.PrivilegeLogin, expire)
    token.AddService(serviceRtm)

    return token.Build()
}
Copy

Parameter	Description
`appId`	The app ID generated when you create a project in Agora Console.
`appCertificate`	Your app certificate.
`userId`	The user ID, used to identify a user or device. To differentiate between users and devices, ensure that the `userId` is globally unique and remains unchanged for the lifetime of the user or device.
`expire`	The validity period of the token (in seconds). The maximum validity period is 24 hours.