- Docs
- Core Concepts
- Authentication
Authentication
QPub messaging APIs authenticate applications, not end-user dashboard logins.
Methods
| Method | Best for | Credential |
|---|---|---|
| API key | Trusted servers | publicId:secret via Basic or api_key |
| JWT token | Browsers and untrusted clients | Bearer / access_token |
| Token request | Browsers without exposing the secret | Signed payload → JWT |
Dashboard login (email/password, OAuth) is separate — see Accounts.
Recommended patterns
Server-to-server
const rest = new QPub.Rest({ apiKey: process.env.QPUB_API_KEY });
Browser / mobile
- Your backend holds the API key.
- Backend creates a JWT (
issueToken) or a signed token request (createTokenRequest). - Client uses the JWT or
tokenRequest/authUrlwithQPub.Socket.
Never ship the API key secret in public client code.
SDK options
new QPub.Socket({
apiKey: "...", // or
authUrl: "https://...", // POST returns { token } or { tokenRequest }
tokenRequest: { /* ... */ },
alias: "user-42", // optional
});
Related
Previous
API Overview
Next
API Key Auth