Skip to contentSkip to navigationSkip to topbar
Rate this page:
On this page

User Identity & Access Tokens for Programmable Video


(warning)

Warning

This page is for reference only. We are no longer onboarding new customers to Programmable Video. Existing customers can continue to use the product until December 5, 2024(link takes you to an external page).
We recommend migrating your application to the API provided by our preferred video partner, Zoom. We've prepared this migration guide(link takes you to an external page) to assist you in minimizing any service disruption.

(warning)

Warning

This page is for reference only. We are no longer onboarding new customers to Programmable Video. Existing customers can continue to use the product until December 5, 2024(link takes you to an external page).
We recommend migrating your application to the API provided by our preferred video partner, Zoom. We've prepared this migration guide(link takes you to an external page) to assist you in minimizing any service disruption.


Overview

overview page anchor

An Access Token controls Participant identity and Room permissions in your Programmable Video application. Read below to learn more.


Access Tokens are JSON Web Tokens (JWTs)(link takes you to an external page). They are short-lived credentials that are signed with a Twilio API Key Secret and contain grants that govern the actions the client holding the token is permitted to perform.

End-users require an Access Token to join a Twilio Video Room. Below is the general workflow that your application will need to generate Access Tokens and allow end-users to connect to Twilio Video Rooms.

Access Token workflow.

All Twilio Access Tokens must include the following information:

  • A Twilio Account SID , which is the public identifier of the Twilio account associated with the Access Token.
  • An API Key SID , which is the public identifier of the key used to sign the token.
  • An Identity grant , which sets the Twilio user identifier for the client holding the token.
  • The API Key Secret associated with the API Key SID is used to sign the Access Token and verify that it is associated with your Twilio account.
(warning)

API Key Region

The API Key you use to create Access Tokens must be in the United States (US1) region. Access Tokens that are generated with API Keys in other regions outside of US1 will not work and will not connect to Video Rooms.

You can select the key's region when you create the API key(link takes you to an external page).

Create an API Key in the US1 region.

To see a list of your API keys in the United States (US1) region, select that region from the dropdown in the top right side of the page in the Auth Token and API Keys section of the Twilio Console(link takes you to an external page).

In the API Keys section of the Console, choose the US1 region to see all your API keys in that region.

Programmable Video Access Tokens also include the following information:

  • A mandatory Video grant , which indicates the holder of the Access Token can access Programmable Video services.
  • Optionally, a Room grant (contained within the Video grant) for a specific Room name or SID, which indicates the holder of the Access Token may only connect to the indicated Room.

Limit Room Access

limit-room-access page anchor

The Room grant allows you to scope a Participant's access to a single Room. When a Participant connects with a token that contains a Room grant, the value is compared against:

  1. The Room's UniqueName .
  2. The Room's Sid .

For example, if the Access Token contains a Room grant for DailyStandup, the client holding this Access Token will only be allowed to connect to the Room with the UniqueName property DailyStandup.

See below for working examples.

Time-To-Live (ttl)

time-to-live page anchor

Access Tokens must be valid while joining a Room and when reconnecting to a Room due to network disruption or handoff. We recommend that you set the ttl to the maximum allowed session length, which is currently 86,400 seconds (24 hours).


Generating Access Tokens

generating-access-tokens page anchor

You can generate Access Tokens using either a Twilio CLI plugin or a Twilio Helper Library. The Twilio CLI Plugin is a useful tool for creating individual Access Tokens for testing or getting started with Twilio Video. You should use the Twilio Helper Libraries to generate Access Tokens in your application's server.

Use the Twilio CLI plugin

generate-cli page anchor

The Twilio CLI has a plugin(link takes you to an external page) for generating Access Tokens from the command line. This can be useful for testing Access Tokens when you are starting to develop your application.

First, you will need to install the Twilio CLI and log in to your Twilio account from the command line; see the CLI Quickstart for instructions. Then, you can install the plugin with the following command:


_10
twilio plugins:install @twilio-labs/plugin-token

To generate an Access Token, run the following command. --identity is a required argument and should be a string that represents the user identity for this Access Token.


_10
twilio token:video --identity=<identity>

You can add other arguments to the command(link takes you to an external page), such as TTL and room name. To see the list of options, use the --help flag:


_10
twilio token:video --help

Use a Twilio helper library

generate-helper-lib page anchor

Use a Twilio server-side helper library to generate an Access Token in your back-end server. See below for examples of creating an Access Token for a particular user to enter a specific Video Room.

Creating an Access Token (Video)

creating-an-access-token-video page anchor
Node.js
Python
C#
Java
Go
PHP
Ruby

_28
const AccessToken = require('twilio').jwt.AccessToken;
_28
const VideoGrant = AccessToken.VideoGrant;
_28
_28
// Used when generating any kind of tokens
_28
// To set up environmental variables, see http://twil.io/secure
_28
const twilioAccountSid = process.env.TWILIO_ACCOUNT_SID;
_28
const twilioApiKey = process.env.TWILIO_API_KEY;
_28
const twilioApiSecret = process.env.TWILIO_API_SECRET;
_28
_28
const identity = 'user';
_28
_28
// Create Video Grant
_28
const videoGrant = new VideoGrant({
_28
room: 'cool room',
_28
});
_28
_28
// Create an access token which we will sign and return to the client,
_28
// containing the grant we just created
_28
const token = new AccessToken(
_28
twilioAccountSid,
_28
twilioApiKey,
_28
twilioApiSecret,
_28
{identity: identity}
_28
);
_28
token.addGrant(videoGrant);
_28
_28
// Serialize the token to a JWT string
_28
console.log(token.toJwt());

Access Token Server Sample Applications

access-token-server-sample-applications page anchor

These sample applications demonstrate the generation of Access Tokens in different programming languages.

If you do not want to host your own server to create Access Tokens, you can use a serverless Twilio Function to create an Access Token server hosted in Twilio's cloud. See an example of how to generate Access Tokens without a server(link takes you to an external page) or an example of creating a serverless video application(link takes you to an external page) in the Twilio Blog.

Generate tokens without a Twilio helper library

generate-tokens-without-a-twilio-helper-library page anchor

Using a Twilio helper library is the easiest way to create an Access Token. Twilio's helper libraries have code that generate the Access Tokens in the correct format. However, it is possible to write your own code to do this if you are not using a helper library.

Access Tokens are standard JSON Web Tokens(link takes you to an external page) that use the HS256 signing algorithm. The signing key is your API Key Secret. You can review all the elements included in the Access Token in the Access Token API documentation.

To ensure that you are creating a token with the correct format and grants, you can generate a single token using the Twilio CLI or Twilio helper libraries and decode its payload to verify you are generating your own tokens with the same format. You can decode a JWT token at https://jwt.io(link takes you to an external page).

You can also use the source code for Twilio's helper libraries as a reference to see how a particular library generates Access Tokens.

You can find the code for each helper library in GitHub:


After you have generated an Access Token on the server-side of your application (or generated an Access Token via the Twilio CLI), you can use it to connect to a Programmable Video Room in a client-side application. You can learn more about how to connect to a Video Room using an Access Token in the Getting Started guides for JavaScript, Android, and iOS.

Below are examples for connecting to a Twilio Video Room using an Access Token.


_10
const { connect } = require('twilio-video');
_10
_10
connect('$TOKEN', { name:'my-new-room' }).then(room => {
_10
console.log(`Successfully joined a Room: ${room}`);
_10
room.on('participantConnected', participant => {
_10
console.log(`A remote Participant connected: ${participant}`);
_10
});
_10
}, error => {
_10
console.error(`Unable to connect to Room: ${error.message}`);
_10
});


_18
private Room.Listener roomListener() {
_18
return new Room.Listener() {
_18
@Override
_18
public void onConnected(Room room) {
_18
Log.d(TAG,"Connected to " + room.getName());
_18
}
_18
}
_18
}
_18
_18
public void connectToRoom(String roomName) {
_18
ConnectOptions connectOptions = new ConnectOptions.Builder(accessToken)
_18
.roomName(roomName)
_18
.audioTracks(localAudioTracks)
_18
.videoTracks(localVideoTracks)
_18
.dataTracks(localDataTracks)
_18
.build();
_18
room = Video.connect(context, connectOptions, roomListener);
_18
}


_19
@IBAction func createARoom(sender: AnyObject) {
_19
let connectOptions = ConnectOptions(token: accessToken) { (builder) in
_19
builder.roomName = "my-room"
_19
}
_19
room = TwilioVideoSDK.connect(options: connectOptions, delegate: self)
_19
}
_19
_19
// MARK: RoomDelegate
_19
_19
func roomDidConnect(room: Room) {
_19
print("Did connect to Room")
_19
_19
if let localParticipant = room.localParticipant {
_19
print("Local identity \(localParticipant.identity)")
_19
_19
// Set the delegate of the local particiant to receive callbacks
_19
localParticipant.delegate = self
_19
}
_19
}


Rate this page: