Secure authentication

Authentication is the act of validating the identity of each user before they access a system. Agora uses digital tokens to authenticate users and their privileges before they access Agora SD-RTN to join . Each token is valid for a limited period and works only for a specific channel. For example, you cannot use the token generated for a channel called AgoraChannel to join the AppTest channel.

This page shows you how to quickly set up an authentication token server, retrieve a token from the server, and use it to connect securely to a specific channel.

Understand the tech

An authentication token is a dynamic key that is valid for a maximum of 24 hours. On request, a token server returns an authentication token that is valid to join a specific channel.

When users attempt to connect to an Agora channel from your app, your app retrieves a token from the token server in your security infrastructure. Your app then sends this token to Agora SD-RTN for authentication. Agora SD-RTN validates the token and reads the user and project information stored in the token. A token contains the following information:

The App ID of your Agora project
The App certificate of your Agora project
The channel name
The user ID of the user to be authenticated (optional)
The privilege of the user, either as a publisher or a subscriber
The Unix timestamp showing when the token will expire

The following figure shows the call flow you need to implement to create step-up-authentication with Agora :

token authentication flow

Prerequisites

To follow this procedure you must have:

Implemented the Quickstart
Created a Heroku account

Android Studio 4.1 or higher.
Android SDK API Level 24 or higher.
A mobile device that runs Android 4.1 or higher.

An Agora account and project.
A computer with Internet access.

Ensure that no firewall is blocking your network communication.

Project setup

To integrate token authentication into your app, do the following:

Open the project you created in the:
- UI Kit quickstart
- SDK quickstart

Implement the authentication workflow

In the Get Started project you implemented, the app uses an authentication token obtained manually from Agora Console to join a channel. In a production environment, your app retrieves this token from a token server. This section shows you how to:

Create and run a token server

Retrieve and use tokens from a token server

Create and run a token server

This section shows you how to deploy a token server on Heroku.

Click here and deploy a token server to Heroku.

Heroku retrieves the project code and necessary files from Github and takes you to a Create New App page. On this page, fill in the following information:
1. app-name: A name for your token server, containing only lowercase letters, numbers, and dashes.
2. APP_CERTIFICATE: The obtained from Agora Console.
3. APP_ID: The App ID obtained from Agora Console.
Click Deploy app. Heroku configures and builds the token server.

You see a message 'Your app was successfully deployed.'
Click View.

Heroku opens the token server URL in your browser. The URL is of the form <app-name>.herokuapp.com where <app-name> is the name you chose for your token server.

Don’t worry if you see 404 page not found in your browser. Follow the next steps and test your server.
Test your server
1. Ping the server
  
  Load the following URL in a browser tab. Replace <app-name> with the name of your server.
  
  _1https://<app-name>.herokuapp.com/ping
  
  You see the following message in your browser:
  
  _1{"message":"pong"}
2. Retrieve a token
  
  To retrieve an RTC token, send a request to the token server using a URL based on the Token server GET request structure:
  
  _1/rtc/:channelName/:role/:tokentype/:uid/?expiry=expireTime
  
  For example: https://my-token-server.herokuapp.com/rtc/MyChannel/1/uid/0/?expiry=300
  
  Your token server returns the following JSON object to your browser:
  
  _1{"rtcToken":"ThisIsAnExampleTokenThisIsAnExampleTokenThisIsAnExampleTokenThisIsAnExampleTokenThisIsAnExampleToken"}

To see how to create a token generator inside your IAM system, see Integrate a token generator.

Authentication using UI Kit

To retrieve tokens from the token server and use them to authenticate your app with Agora SD-RTN using UI Kit

Specify the token server URL

In the MainActivity class, declare the following variable to hold the token server URL.

_3// The base URL to your token server. _3// For example, "https://app-name.herokuapp.com" _3private String serverUrl = "<Token Server URL>";

Make sure you specify the token-server URL in exactly the same format as shown in the example.
Set the token URL for AgoraVideoViewer

To set the token URL, you create an AgoraSettings object, set its TokenURL property and pass this object to the constructor when initializing AgoraVideoViewer. To do this, replace the code in the try {…} block of the initializeAndJoinChannel() method with the following:

_4AgoraSettings settings = new AgoraSettings(); _4settings.setTokenURL(serverUrl); _4agView = new AgoraVideoViewer(this, new AgoraConnectionData(appId, null), _4 AgoraVideoViewer.Style.FLOATING, settings, null);
Fetch a token from the server when you join a channel

In the joinChannel() method, replace the agView.join call with the following:

_1agView.join(channelName, true, Constants.CLIENT_ROLE_BROADCASTER, 0);

Authentication using Video SDK

To retrieve tokens from the token server and use them to authenticate your app with Agora SD-RTN using Video SDK

Add the necessary dependencies

In order to make HTTPS calls to a token server and interpret the JSON return parameters, integrate the OkHttp client and Gson library into your Android project. In /Gradle Scripts/build.gradle (Module: <projectname>.app), add the following lines under dependencies.

_8... _8dependencies _8{ _8 ... _8 implementation 'com.squareup.okhttp3:okhttp:4.9.3' _8 implementation 'com.google.code.gson:gson:2.9.0' _8 ... _8}
Allow cleartext network traffic

Add the following line in /app/Manifests/AndroidManifest.xml, under <application:

_1android:usesCleartextTraffic = "true"
Enable the user to specify a channel name

Add a text box to the user interface. In /app/res/layout/activity_main.xml add the following lines before </RelativeLayout>:

_10<EditText _10 android:id="@+id/editChannelName" _10 android:layout_width="match_parent" _10 android:layout_height="wrap_content" _10 android:layout_below="@id/JoinButton" _10 android:layout_alignStart="@id/JoinButton" _10 android:layout_alignEnd="@id/LeaveButton" _10 android:hint="Type the channel name here" _10 android:inputType="text" _10 android:text="" />
Add the required import statements

In /app/java/com.example.<projectname>/MainActivity, add the following lines after the last import statement:

_13import android.util.Log; _13import android.widget.EditText; _13 _13import okhttp3.OkHttpClient; _13import okhttp3.Request; _13import okhttp3.Response; _13import okhttp3.Call; _13import okhttp3.Callback; _13 _13import com.google.gson.Gson; _13 _13import java.io.IOException; _13import java.util.Map;
Add variables for your connection to the token server

Declare the variables you need to specify the user id, token role, token server URL and the token expire time. Add the following declarations to the MainActivity class after private RtcEngine agoraEngine;

_4private int tokenRole; // The token role: Broadcaster or Audience _4private String serverUrl = "<Token Server URL>"; // The base URL to your token server, for example, "https://app-name.herokuapp.com". _4private int tokenExpireTime = 40; // Expire time in Seconds. _4private EditText editChannelName; // To read the channel name from the UI.

Make sure you specify the token server URL in exactly the same format as shown in the example.
Set up access to the channel name text box from code

Add the following line at the end of the onCreate method,.

_1editChannelName = (EditText) findViewById(R.id.editChannelName);
Retrieve a token from the server

Use a GET request to retrieve an authentication token for a specific channel from the token server, then decode the return parameters.

In the MainActivity class, add the following fetchToken method:

_35// Fetch the RTC token _35private void fetchToken(int uid, String channelName, int tokenRole) { _35 // Prepare the Url _35 String URLString = serverUrl + "/rtc/" + channelName + "/" + tokenRole + "/" _35 + "uid" + "/" + uid + "/?expiry=" + tokenExpireTime; _35 _35 OkHttpClient client = new OkHttpClient(); _35 _35 // Instantiate the RequestQueue. _35 Request request = new Request.Builder() _35 .url(URLString) _35 .header("Content-Type", "application/json; charset=UTF-8") _35 .get() _35 .build(); _35 Call call = client.newCall(request); _35 call.enqueue(new Callback() { _35 _35 @Override _35 public void onFailure(Call call, IOException e) { _35 Log.e("IOException", e.toString()); _35 } _35 _35 @Override _35 public void onResponse(Call call, Response response) throws IOException { _35 if (response.isSuccessful()) { _35 Gson gson = new Gson(); _35 String result = response.body().string(); _35 Map map = gson.fromJson(result, Map.class); _35 String _token = map.get("rtcToken").toString(); _35 setToken(_token); _35 Log.i("Token Received", token); _35 } _35 } _35 }); _35}
Join a channel using the token

Use the retrieved token to either join a channel or to renew an expiring token.

In the MainActivity class, add the following setToken method:
Handle the event triggered by Agora SD-RTN when the token is about to expire

A token expires after the expireTime specified in the call to the token server or expires after 24 hours, if the time is not specified. The onTokenPrivilegeWillExpire event receives a callback when the current token is about to expire so that a fresh token may be retrieved and used.

In the MainActivity class, add the following method after private final IRtcEngineEventHandler mRtcEventHandler = new IRtcEngineEventHandler() {

_7// Listen for the event that the token is about to expire _7@Override _7public void onTokenPrivilegeWillExpire(String token) { _7 Log.i("i", "Token Will expire"); _7 fetchToken(uid, channelName, tokenRole); _7 super.onTokenPrivilegeWillExpire(token); _7}
Update the joinChannel method to fetch a token

In the MainActivity class, replace the joinChannel method with the following:

Test your implementation

To ensure that you have implemented Agora token authentication workflow in your app:

Generate a token in Agora Console.

Users communicate securely using channels in the same project. The App ID you use to generate this token must be the same one you supplied to Heroku.
In your browser, navigate to the Agora web demo and update App ID, Channel, and Token with the values for your temporary token, then click Join.

Set the variables in your app:
1. Update appID in the declarations to the value from Agora Console.
2. Set token to an empty string in the declarations.
3. Update serverUrl in the declarations to the base address of your token server, for example, https://app-name.herokuapp.com.
4. If you are developing with UI Kit: set channelName to the same Channel you specified in the web demo app.
Connect a physical Android device to your development device.
In Android Studio, click Run app. A moment later you see the project installed on your device.

If this is the first time you run the project, grant microphone and camera access to your app.
If you are developing with Video SDK: enter the same channel name in the UI text box that you used to connect to the Agora web demo.
Click Join to connect your Android app to the web demo app.

Your app magically connects to the same channel you used in web demo. You don’t need to hardcode a token in your app; each channel is secured with a specific token, and each token is refreshed automatically. That’s pretty cool!

/rtc/:channelName/:role/:tokentype/:uid/?expiry=expireTime

:channelName is the name of the Agora Channel you wish to join

A channel name may contain numbers with both upper and lower case letters. The name length must be less than 64 characters.
:role is the user role

Use 1 for publisher, 2 for subscriber.
:tokentype is the type of token

Agora SD-RTN supports both integer user IDs and string user accounts for token generation. To ensure smooth communication, all the users in a channel must use the same type of ID, that is, either the integer uid, or a string userAccount. Best practice is to use the uid.
:uid is the user ID

User Id can be any 32-bit unsigned integer. It can be set to 0, if you do not need to authenticate the user based on the user ID.
expireTime (optional) is the number of seconds after which the token will expire

By default, a token expires after 24 hours unless a shorter life span is explicitly specified in the token request.

Agora Developer Center

Secure authentication

Understand the tech

Prerequisites

Project setup

Implement the authentication workflow

Create and run a token server

Authentication using UI Kit

Authentication using Video SDK

Test your implementation

Reference

Source code for a token server

Token server GET request structure

API Reference