Authenticated and identified clients

The following terminology will help you to understand what authentication, authorisation and identification is in the context of the Ably service.

 

Authentication

The process of deciding, based on the presented credentials, whether or not an entity may interact with the Ably service. The credentials may be presented explicitly using Basic Authentication or Token Authentication, or in some cases the entity authenticating may prove possession of the credentials with a signed Token Request that is subsequently used to generate a valid token to be used for Token Authentication.  When authenticating with Ably, the credentials are either an API key or an auth token.

 

Authenticated client

A client of the Ably service that has been successfully authenticated.

 

Authorisation

The process of deciding whether or not a given entity (usually authenticated) is allowed to perform a given operation. In Ably, authorisation for most operations is based on the Capabilities associated with the key or token that was used to authenticate a client.  Find out how to configure capabilities for your API keys.

 

Identified client

An authenticated client with a specific claimed client identity, or clientId, whose credentials are verified as confirming that identity. See an example in our documentation of identifying when authenticating with Ably.

In Ably a client can be identified with a clientId in three ways:

  • if the client is authenticated with a token that is issued for that clientId;
  • if the client claims that clientId and is authenticated with an API key ("basic auth");
  • if the client claims that clientId and is authenticated with a token that is issued for a wildcard clientId (a special token privilege that allows any client identity to be assumed)
 

We encourage customers to issue tokens so that all clients authenticate using a token and do not have access to API keys. Since the customer can then control the clientId that may be used by any of its clients, all other clients can rely on the validity of the clientId in published messages and of members present in presence channels.

 

See the Ably Realtime documentation for details on how to instance the library, issue tokens or token requests and specify a clientId for the connecting client or generated token.

 

Note: Channels can be configured to only allow identified users. Find out more about channel rules.