Tokens

Tokens are the primary authentication mechanism in rstream. Tokens are presented to the engine on API requests, on signaling connections, and on HTTP tunnel requests when token authentication is enabled.

The rstream model distinguishes three token families: short-lived auth tokens, long-lived personal access tokens, and application credentials that can mint short-lived application tokens.

Auth tokens

Auth tokens are short-lived tokens associated with a user identity. In the hosted platform, auth tokens are minted by the control plane and are typically used for interactive sessions and short-term access.

Personal access tokens

Personal access tokens are long-lived tokens created from the Dashboard. They are designed for automation where a stable credential is required and interactive browser login is not appropriate.

In the hosted platform implementation, personal access tokens are signed using HS256 and are stored server-side as SHA-256 hashes, so the plaintext token is only visible at creation time. Tokens can be rotated or revoked from the Dashboard.

Application credentials

Application credentials consist of a client id and a client secret. They are intended for applications that integrate rstream and need to mint short-lived tokens without calling the rstream control plane on every request.

In the hosted platform implementation, application credentials use an ECDSA keypair (P-521). The public key is stored server-side, and the client secret is the private key encoded as a PKCS8 DER value. Tokens minted from application credentials are signed using ES512.

The JavaScript SDK can mint a short-lived token from application credentials:

const { token } = await client.auth.createAuthToken({ expires_in: 60 });