Use a token for authentication

更新时间:
复制 MD 格式

ApsaraVideo Real-time Communication (RTC) provides two methods to generate a token. This topic describes how to generate a token in the console and on the server-side.

Prerequisites

Background information

A token is a security signature designed by Alibaba Cloud to prevent malicious attackers from using your Alibaba Cloud services without authorization. You must provide an AppID, UserID, ChannelId, and Token in the logon function of the SDK. The AppID identifies your application, and the UserID identifies your user. The Token is calculated based on an algorithm. This makes it difficult for attackers to forge a Token and consume your service traffic.

Notes

Tokens generated in the console are temporary and intended for testing purposes only. For production environments, generate tokens on the server-side.

Generate a token in the console

  1. Log on to the ApsaraVideo Real-time Communication console.

  2. In the navigation pane on the left, choose Tools and go to the Tools page.

Generate a token on the server-side

Compared with generating a token in the console, generating a Token on the server-side provides maximum protection for the key used to compute the token and prevents the key from being leaked. The process is as follows:

  1. Before your application calls the SDK's initializer function, it must request a Token from your server.

  2. Your server calculates the Token using the AppToken tool provided by Alibaba Cloud.

  3. Your server returns the calculated authentication information to your application.

  4. Your application passes the authentication information to the SDK through your business API.

  5. The SDK submits the authentication information to Alibaba Cloud servers for verification.

  6. Alibaba Cloud verifies the authentication information to confirm its validity.

  7. After the verification is successful, the Real-Time Communication service starts.image

Parameter

Description

AppID

The application ID. Create it in the console.

UserID

A unique identifier for your user, generated by your AppServer. If a user with the same UserID logs on from another client, the client that joined the channel first is removed from the channel. It can contain uppercase letters, lowercase letters, and digits. The maximum length is 64 bytes. Example: 2b9be4b25c2d38c409c376ffd2372be1.

ChannelID

The channel ID, generated by your AppServer. You cannot set the ChannelID to 0. The ChannelID must be unique. It can contain uppercase letters, lowercase letters, digits, and hyphens (-). The maximum length is 64 bytes. Example: 181-218-3406.

Token

The token for joining a channel, generated by your AppServer.

  1. Validity: A token is valid for a maximum of 24 hours from its creation timestamp.

  2. Access control: By default, the SDK has permissions to send audio, send video, and perform other operations. To restrict a user's permissions, you can use this field for fine-grained control. By default, this feature is disabled, which means all permissions are granted.

For user-level access control, see Token privilege.

For channel-level parameter control, see Token options.

Token privilege

The privilege parameter is used for user-level access control. It supports control over the following permissions: sending audio, sending video, and sending screen sharing streams.

Privileges are used as follows:

  1. When requesting a token, assign different privilege parameters to different users.

  2. The SDK adds the permission property when it generates the token.

  3. The SDK uses the token to interact with RTC, and RTC verifies the token's permissions.

  4. If the permissions are insufficient, the related operation is denied.

The token contains a parameter named privilege that is used to pass permission information.

The value of the privilege parameter is a 16-bit number. Each bit represents a specific permission:

15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|            privilege              |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  • bit0 is the least significant bit. If the value of bit0 is 1, access control is enabled. Otherwise, access control is disabled and all permissions are granted.

  • bit1 indicates whether the user can send audio.

  • bit2 indicates whether the user can send video.

  • bit3 indicates whether the user can send a screen sharing stream.

Examples:

  • privilege=0: Access control is disabled. All permissions are granted.

  • privilege=3 (binary: 0000 0000 0000 0011): The user can send audio but has no other permissions.

  • privilege=5 (binary: 0000 0000 0000 0101): The user can send video but has no other permissions.

  • privilege=7 (binary: 0000 0000 0000 0111): The user can send audio and video but has no other permissions.

For specific usage examples, see the sample code for different languages at the end of this topic.

Token options

The options parameter defines channel-level configurations that you can customize. For specific usage examples, see the sample code for different languages at the end of this topic. The value range is verified by the RTC service. If you have special requirements, you can submit a ticket to increase the upper limit.

  1. duration_per_channel

    • Description: The maximum duration of a channel, in seconds.

    • Value range: [300, 86400].

    • Default value: 86400.

    • Additional information:

      • The token's expiration time cannot exceed the sum of the current time and the channel duration. Otherwise, the user fails to join the channel. Evaluate your business needs and set this parameter as needed.

      • Due to the system implementation, there may be a maximum drift of 10 s from the configured value.

  2. delay_close_per_channel

    • Description: The maximum duration that a channel is kept alive after the last user leaves, in seconds.

    • Value range: [1, 86400].

    • Default value: 60.

    • Additional information:

      • Due to the system implementation, there may be a maximum drift of 10 s from the configured value.

Sample code

For examples of how to generate a Token on the server-side, see the following repositories: GitHub and Gitee.

  • For a Java example, see the AppToken class.

  • For a Go example, see the CreateAppToken function.

  • For a C# example, see the Program function.

  • For a Python 3 example, see the app_token function.

  • For a Python 2 example, see the app_token function.

  • For a PHP example, see the index function.

  • For a Node.js example, see the index function.