Managing permissions by issuing access tokens follows the analogy of a “hotel room key card”. Anyone that has that key card can open the doors that the card gives access to. It’s easy to give out those key cards right from your back end.
To set up your authentication endpoint with access token permissions, make sure to follow these quick steps.
To be able to use this pattern, you will have to name your rooms using a fixed
pattern of <team>:<room>
. For suggestions, read more on our
naming best practices.
To be able to use this pattern, you will have to name your rooms using a fixed
pattern of <org>:<team>:<room>
. For suggestions, read more on our
naming best practices.
Being able to specify permissions for infinite rooms using prefix pattern matching offers great powers, but it does assume that you design your room names a bit more cautiously. For example, granting room prefix permissions won’t work if you use random room IDs for your project, because there won’t be a shared prefix.
Therefore, if you want to adopt this pattern, we recommend designing your room names hierarchically in namespaced “buckets” in a way that makes sense for your app.
For example, if your app manages documents by team, each room could be named
using a <team-id>:<room-id>
pattern:
For example:
"engineering:R5AhJlTSKwBR"
"engineering:PqY3oqRcV-7Z"
"marketing:SVUPHaboSc10"
"marketing:Y7Uyw44YRxjY"
As another example, if your app is a SAAS product, and you have many customers,
you can add an additional top-level key to prefix your room names, e.g.
<app-id>::<group-id>/<room-id>
:
Example room IDs:
"jOzGLFEAedV5::engineering/R5AhJlTSKwBR"
"jOzGLFEAedV5::engineering/PqY3oqRcV-7Z"
"rGSoepTL7r-Y::marketing/SVUPHaboSc10"
"rGSoepTL7r-Y::marketing/Y7Uyw44YRxjY"
Again, the ::
and /
separators here are used for illustrative purposes. You
can use any separator you want.