Skip to main content
The Red5 Backend SDKs let your server generate secure access tokens for video conferences and chat messaging. Available for Node.js, Java, and Go, they give you a simple API to create short-lived tokens that clients pass to the iOS SDK, Android SDK, or Conference SDK when joining a room or channel. Your master credentials stay on your server and are never exposed to end users.

Why you need it

When a user wants to join a video conference or send a chat message, the client SDK needs to authenticate against Red5 Cloud. If you hardcode master credentials in your app, anyone who decompiles or inspects your client can extract them. Instead, your backend uses the Backend SDK to mint a signed token scoped to a specific user, room, and role — the token carries only the minimum permissions needed, and it expires after a configurable time window.
Your master key and secret are available on the Dev Resources page in the Red5 Cloud dashboard. Store them as environment variables on your server and never commit them to source control.

Token types

Conference token — authorizes a user to join a specific video room with a given role (admin, publisher, or subscriber). Pass this token to client.join() in the Conference SDK, or to the setToken() method in the iOS or Android SDK. Chat token — authorizes a user to read and/or write on a specific PubNub channel. Pass this token to setChatToken() on the iOS or Android SDK client.

Installation

npm install red5-bcs-node
The red5-bcs-node package is not yet published to the npm registry. Contact Red5 support to obtain the package.

Conference token generation

import Red5Client from 'red5-bcs-node';

const client = new Red5Client(
  process.env.RED5_MASTER_KEY,
  process.env.RED5_MASTER_SECRET
);

const token = await client.getConferenceToken(
  'user-123',    // userId
  'room-abc',    // roomId
  'publisher',   // role: 'admin' | 'publisher' | 'subscriber'
  60             // expirationMinutes
);

console.log(token); // pass this to the client SDK

Chat token generation

const chatToken = await client.getChatToken(
  'user-123',        // userId
  'channel-global',  // channelId
  true,              // read permission
  true,              // write permission
  30                 // ttlMinutes
);

console.log(chatToken);

Roles

RolePermissions
adminFull room access and conference management
publisherPublish audio and video streams
subscriberView and listen only

Full example

The following shows a complete server handler that issues both a conference token and a chat token for a single user request. 
import Red5Client from 'red5-bcs-node';

async function issueTokens(userId, roomId, channelId) {
    const client = new Red5Client(
        process.env.RED5_MASTER_KEY,
        process.env.RED5_MASTER_SECRET
    );

    const conferenceToken = await client.getConferenceToken(
        userId, roomId, 'publisher', 60
    );

    const chatToken = await client.getChatToken(
        userId, channelId, true, true, 60
    );

    return { conferenceToken, chatToken };
}

Using tokens with client SDKs

Once your backend issues a token, pass it to the appropriate client SDK method:
  • Conference SDK — pass as the token argument to client.join()
  • iOS SDK — pass to .setToken() or .setAuthToken() on Red5WebrtcClientBuilder
  • Android SDK — pass to .setToken() on IRed5WebrtcClient.builder()
  • Chat (iOS) — pass to .setPubnubAuthKey() on Red5WebrtcClientBuilder
  • Chat (Android) — pass to .setChatToken() on IRed5WebrtcClient.builder()

Security best practices

Never generate tokens on the client or expose your master credentials in frontend code. Always call token generation from your backend over a server-to-server connection.
  • Store master credentials as environment variables, not in source code
  • Use HTTPS for all token delivery endpoints
  • Keep token lifetimes short — 30 to 60 minutes is a reasonable default
  • Validate the requesting user’s identity on your backend before issuing a token
  • Use the minimum role required (subscriber instead of publisher for view-only users)