Authentication

QPub messaging APIs authenticate applications, not end-user dashboard logins.

Methods

MethodBest forCredential
API keyTrusted serverspublicId:secret via Basic or api_key
JWT tokenBrowsers and untrusted clientsBearer / access_token
Token requestBrowsers without exposing the secretSigned payload → JWT

Dashboard login (email/password, OAuth) is separate — see Accounts.

Server-to-server

const rest = new QPub.Rest({ apiKey: process.env.QPUB_API_KEY });

Browser / mobile

  1. Your backend holds the API key.
  2. Backend creates a JWT (issueToken) or a signed token request (createTokenRequest).
  3. Client uses the JWT or tokenRequest / authUrl with QPub.Socket.

Never ship the API key secret in public client code.

SDK options

new QPub.Socket({
  apiKey: "...",           // or
  authUrl: "https://...",  // POST returns { token } or { tokenRequest }
  tokenRequest: { /* ... */ },
  alias: "user-42",        // optional
});