Authentication and Tokens for VideoSDK - Flutter

Why we are using JWT based Token ?

Token based authentication allows users to verify their identity by providing generated API key and secret.

We use JWT token for the authentication purpose because Token-based authentication is widely used in modern web applications and APIs because it offers several benefits over traditional authentication. For example, it can reduce the risk of the credentials being misused, and it allows for more fine-grained control over access to resources. Additionally, tokens can be easily revoked or expired, making it easier to manage access rights.

How to generate Token ?

To manage secured communication, every participant that connects to the meeting needs an access token. You can easily generate this token by using your apiKey and secret-key which you can get from VideoSDK Dashboard.

1. Generating token from Dashboard

If you are looking to do testing or for development purpose, you can generate a temporary token from VideoSDK Dashboard's API section.

tip

The best practice for getting token includes generating it from your backend server which will help in keeping your credentials safe.

2. Generating token in your backend

• Your server will generate access token using your API key and secret.
  • While generating a token, you can provide expiration time, permissions and roles which are discussed later in this section.
• Your client obtains token from your backend server.
• For token validation, client will pass this token to VideoSDK server.
• VideoSDK server will only allow entry in the meeting if the token is valid.

TOKEN GENERATION

NodeJS

• NodeJS
• PHP
• Python
• .NET
• Go
• Java
• Ruby
• Rust

const jwt = require('jsonwebtoken');

const API_KEY = <YOUR API KEY>;
const SECRET = <YOUR SECRET>;

const options = { 
 expiresIn: '120m', 
 algorithm: 'HS256' 
};
const payload = {
 apikey: API_KEY,
 permissions: [`allow_join`], // `ask_join` || `allow_mod` 
 version: 2, //OPTIONAL
 roomId: `2kyv-gzay-64pg`, //OPTIONAL
 participantId: `lxvdplwt`, //OPTIONAL 
 roles: ['crawler', 'rtc'], //OPTIONAL
};

const token = jwt.sign(payload, SECRET, options);
console.log(token);

Follow our official example repositories to setup token API videosdk-rtc-api-server-examples

Payload while generating token

{
 apikey: API_KEY, //MANDATORY
 permissions: [`allow_join`], //`ask_join` || `allow_mod` //MANDATORY
 version: 2, //OPTIONAL
 roomId: ROOM_ID, //OPTIONAL,
 participantId: PARTICIPANT_ID, //OPTIONAL
 roles: ['crawler', 'rtc'], //OPTIONAL
}

• apikey(Mandatory): This must be the API Key generated from the VideoSDK Dashboard. You can get it from here.

• permissions(Mandatory): By providing the permissions, you can control what a participant can do in the meeting and whether he can join the meeting directly.

  Available permissions are:

  • allow_join: The participant is allowed to join the meeting directly.
  • ask_join: The participant is required to ask for permission to join the meeting. The participant having the permission allow_join can accept or reject a participant whenever someone wants to join.
  • allow_mod: The participant is allowed to toggle webcam & mic of other participants.

• version(optional): For accessing the v2 API, you need to provide 2 as the version value.

  • For passing roomId, participantId or roles parameters in payload, it is essential to set the version value to 2.

• roomId(optional): To provide customised access control, you can make the token applicable to a particular room by including the roomId in the payload.

• participantId(optional): You can include the participantId in the payload to limit the token's access to a particular participant.

• roles(optional):

  • crawler: This role is only for accessing v2 API, you can not use this token for running the Meeting/Room.
  • rtc: This role is only allowed for running the Meeting / Room, with this role you can not use server-side APIs.

Then, you have to sign this payload with your SECRET KEY and jwt options using the HS256 algorithm.

Expiration time

You can set any expiration time to the token. But in the production environment, it is recommended to generate a token with short expiration time because by any chance if someone gets hold of the token, it won't be valid for a longer period of time.

What happens if token is expired?

If your token is expired, the user won't be able to join the meeting and all the API calls will give error with message Token is invalid or expired.

note

Token is validated only once while joining the meeting, so if a person joins the meeting and the token gets expired after that, there won't be any issue in the current meeting.

How to check validity of token?

1. After generating the token, visit jwt.io and paste your token in the given area.
2. You will be able to see the payload you passed while generating the token and also be able to see the expiration time and token creation time.

API Settings & Controls

The VideoSDK Dashboard provides a powerful API Settings section where you can configure various services and controls for your meetings. These settings allow you to customize the behavior of different features directly from the dashboard without requiring code changes.

Audio/Video Configurations

note

Runtime configuration from the dashboard has higher precedence than static SDK configurations. If a value is modified in the dashboard, it will override any previously defined SDK settings for that session.

Example: Code: Video = HD → Dashboard: Video = Full HD → Applied: Full HD

Maximum Send Bitrate Per Participant

Control the maximum total upload bandwidth for all media streams from a single participant.

Available Options:

• Auto: Removes the upload bitrate limit (recommended for best quality)
• SD (800kbps): Standard definition bitrate
• HD (1500kbps): High definition bitrate
• Full HD (3000kbps): Full high definition bitrate

tip

Setting this to Auto provides the best video quality as it removes upload bitrate constraints, allowing adaptive streaming based on network conditions.

Recording & Streaming Configuration

note

Recording and HLS follow a precedence-based configuration model:

API/SDK configuration → Highest priority Dashboard configuration → Used only when no API values are defined

Any parameters explicitly set via the API will not be overridden by dashboard changes.

Recording Configuration

Configure recording settings for your meetings including layout, quality, and auto-start options.

Recording Controls:

• Enabled: Toggle to enable/disable recording functionality
• Enabled Modes: Choose between Video & Audio or Audio Only recording
• Start Recording Automatically: Auto-start recording when meeting begins
• Layout Style: Select Grid layout for recording composition
• Maximum Tiles In Grid: Set the number of participants visible in grid (1-25)
• Who to Prioritize: Choose Active Speaker or Pinned Participant
• Theme: Select System Default, Light, or Dark theme for recordings
• Video Orientation: Choose between Landscape or Portrait mode
• Recording Quality: Select quality level (e.g., HD Medium)
• Recording Mode: Choose between Video & Audio or Audio Only

HLS Streaming Configuration

Configure HTTP Live Streaming (HLS) settings for broadcasting your meetings.

HLS Streaming Controls:

• Enabled: Toggle to enable/disable HLS streaming
• Enabled Modes: Choose between Video & Audio or Audio Only streaming
• Auto Start HLS: Automatically start HLS when meeting begins
• Record HLS Stream: Enable recording of the HLS stream
• Layout Style: Select Grid layout for stream composition
• Maximum Tiles In Grid: Set the number of participants visible (1-25)
• Who to Prioritize: Choose Active Speaker or Pinned Participant
• Theme: Select System Default, Light, or Dark theme
• HLS Orientation: Choose between Landscape or Portrait mode
• HLS Quality: Select streaming quality (e.g., HD Medium)
• HLS Streaming Mode: Choose between Video & Audio or Audio Only

Additional Service Controls

Enable or disable additional services for your API key.

Available Services:

• RTMP Output: Enable RTMP streaming to external platforms
• SIP Integration: Enable SIP (Session Initiation Protocol) integration for telephony
• Realtime Translation: Enable real-time language translation in meetings

Transcription & Summary

Configure transcription and domain whitelisting for your API key.

Transcription Controls:

• Enabled: Toggle to enable/disable transcription and summary features
• Whitelist Domain: Add domain restrictions for API key usage
  • Enter domain names in the format https://domain.name
  • Click "Add Domain" to whitelist specific domains
  • Only whitelisted domains can use this API key
  • When no domains are whitelisted, the API key can be used from any domain