Authentication

Authentication helps keep your chat and user data secure. Without authentication:

  • Malicious users can send messages as anyone
  • Malicious users can read anyone's messages
  • Anyone can use the TalkJS API to send messages without using your site

When you first create your TalkJS account, all user authentication is turned off. This makes it easy to get started, but always enable authentication on all live services.

This page explains how to enable authentication and protect your user data.

Always enable authentication on any live service. Authentication keeps your user data secure, by ensuring that only legitimate users can connect to your chat.

1. Generate a token

Begin by generating a token. Users can connect to TalkJS by digitally signing a token containing their user ID. TalkJS will reject requests from any users who don't have a valid token.

To generate tokens, copy the relevant code snippet into your backend server and install the library listed on the first line.

1// Uses `jsonwebtoken`: https://www.npmjs.com/package/jsonwebtoken
2import jwt from 'jsonwebtoken';
3

4const encoded_jwt = jwt.sign({ tokenType: 'user' }, '<SECRET_KEY>', {
5  issuer: '<APP_ID>',
6  subject: '<USER_ID>',
7  expiresIn: '1d',
8});
9console.log(encoded_jwt);

In the code snippet, replace <APP_ID> with your own app ID, and replace <SECRET_KEY> with your own secret key. You can find both your app ID and secret key on the Settings page of your TalkJS dashboard. Then replace <USER_ID> with the ID of the user who is connecting to TalkJS.

Important: Never include your secret key in frontend code. It gives full admin access to your TalkJS account.

Your generated token should look similar to the following example:

eyJhbGciOiJIUzI1NiJ9.eyJ0b2tlblR5cGUiOiJ1c2VyIiwiaXNzIjoiRVhBTVBMRV9BUFAiLCJzdWIiOiJFWEFNUExFX1VTRVIifQ.L2xKxkn0mpK46PKP_S384N0mT1Flog38NAaaiy3nG-I

2. Pass a token

Next, make sure that your users pass their token when connecting to TalkJS. The token is different each time, so you need to set it dynamically. For example, in PHP, you might do:

1const talkSession = new Talk.Session({
2  appId: "<APP_ID>",
3  me: me,
4  token: "<?= $authToken ?>",
5});

Alternatively, a static website might send a web request asking your server to generate a token.

Test the solution. If TalkJS stops working once you provide a token, check the developer console for any warnings or error messages. If you're still stuck, send us a message in the chat on this page. Our developers will be happy to help.

3. Enable authentication (identity verification)

Once TalkJS loads without errors when you provide a token, you can enable authentication (identity verification) on the Settings page of your dashboard, under Security settings. With authentication enabled, only users with a valid token can connect to your chat. Any connections without a valid token get blocked.

Prevent expired sessions

The example code in this guide generates tokens that expire after 24 hours. If a user keeps the page open for more than 24 hours, TalkJS will stop working and ask them to refresh the page.

To add support for sessions lasting longer than 24 hours, follow the advanced authentication guide.