Access Tokens#
Novaza Live uses short-lived access tokens to authorize participants into rooms. Your application mints a token for each user, the user presents that token to the Live server, and the server grants exactly the permissions encoded in the token. Users never authenticate directly against the Live server.
Token Format#
Tokens are JWTs signed with your workspace’s Live API key. Each token carries:
| Claim | Purpose |
|---|---|
sub | The participant’s identifier in your system |
name | Display name shown to other participants |
room | The room the token is valid for |
permissions | What the participant can do (publish, subscribe, moderate, share) |
metadata | Arbitrary JSON attached to the participant |
exp | Expiry — typically 5 minutes from now |
Minting a Token#
Tokens are minted server-side. Never ship the API key to the browser.
import { AccessToken } from '@novaza/live-sdk';
const token = new AccessToken(API_KEY, API_SECRET, {
identity: 'user-42',
name: 'Alice',
ttl: 300, // seconds
});
token.addGrant({
room: 'daily-standup',
canPublish: true,
canSubscribe: true,
canPublishData: true,
});
const jwt = token.toJwt();Pass the JWT to your front end and give it to the Live SDK when connecting.
Permissions#
| Grant | Allows |
|---|---|
canPublish | Send audio / video to the room |
canSubscribe | Receive other participants’ streams |
canPublishData | Send in-room chat / data messages |
canPublishSources | Restrict to specific tracks (camera, microphone, screen_share) |
roomAdmin | Mute participants, end the room, change settings |
roomCreate | Create rooms on demand |
Omitting a grant denies the capability. Use the most restrictive set that still lets the user do their job.
Rotating the API Key#
Workspace owners can rotate the Live API key from Settings → Live → API keys. Rotating invalidates all existing tokens immediately — issue new ones before rotating in production.
Debugging#
The Live dashboard shows the decoded claims of every connected participant. If a connection is rejected, the dashboard explains which claim failed (expired, wrong room, missing grant) so you can fix the minting logic quickly.