[FTF-468] Several docs changes to highlight token auth over API key auth, as well as more info on using JWTs

[umair-ably]

Description

• Restructures auth documentation to recommend token authentication (specifically Ably JWT) as the default for client-side applications
• Adds new dedicated authentication pages for Chat and Spaces products
• Expands token auth documentation with a comparison table of token mechanisms and clearer guidance on choosing between Ably JWT, TokenRequest, and Embedded JWT
• Updates auth landing page with a quick reference table and starter code example
• Streamlines capabilities and identified-clients pages for clarity

Motivations/Objectives:

• JWT Token Auth becomes the obvious and clear auth pattern for production code.
• Customer's are easily able to navigate the docs site to find the appropriate auth info e.g. product specific auth guidance is nested in the product section. Auth is moved under platform. (Will be added in a later PR)

Checklist

• Commits have been rebased.
• Linting has been run against the changed file(s).
• The PR adheres to the writing style guide and contribution guide.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch authChanges

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[paddybyers]

I've commented on much of this but stopped around half way through. I think it needs significant revision to make JWT the primary recommended route. The narrative and examples all need updating to reflect this.

A lot of this is slop - it's been AI-generated and not critically reviewed.

[paddybyers]

Why are we suggesting authURL instead of callback here? Does it not need at least some comment?

[paddybyers]

Why is this using native tokens, instead of generating a JWT?

[paddybyers]

I'm not convinced this section adds anything. It feels like slop.

[mattheworiordan]

really a duplciate of https://ably-docs-authchanges-py2loc0j.herokuapp.com/docs/auth#selecting-auth. I do thinkg repetition is good at times, but why here?

[paddybyers]

These are not the only things that could go wrong, or even the most likely things that could go wrong.

Error 40103: Token expired

Not according to https://github.com/ably/ably-common/blob/main/protocol/errors.json#L40

If we're going to retain this section we should also refer to:
40160: incorrect capabilities
80019: error in auth callback/url
40171: no means to renew token

Perhaps we should defer adding this section until we've got the more thorough error code documentation landed?

[mattheworiordan]

Why do we need troubleshooting at all? We have error codes and paths. Do we think people are going to read this and pre-empty troubles?

[paddybyers]

I don't agree with this. We recommend JWT in all circumstances that they can be used. There are only two situations where you would use native tokens:

• where the capabilities list is so large that a literal token is unworkable;
• where the capabilities or clientId are sensitive in some way, and there is a desired to keep them confidential, even if inspecting the token.

Of these, I'm not sure we should even mention the second one because it's such an unusual case.

[paddybyers]

This is irrelevant. I suggest removing it.

[paddybyers]

This should refer to identified clients.

[paddybyers]

This is incorrect advice. It should state instead that a client needs to be identified in order to use certain reaction types. It does not imply the use of token auth.

[paddybyers]

I don't understand why this comment is here. Doesn't the chat SDK ensure that a client is always identified?

[mattheworiordan]

Yes it does, this is needless information as they cannot connect without a clientId

[paddybyers]

Again, we should be recommending JWT auth.

[mattheworiordan]

Thanks for submitting. Good to see you take a stab at dealing with the LLM auth issues, but I think this PR needs a lot more human review by yourself before it's sent for others to review. Lots of obvious problems as it appears to have been pumped out directly from an LLM, which is great to move quickly, but thiks is our docs, and is representative of whether we care to customers.

[mattheworiordan]

I am not sure this is what we'd recommend, always sending both tokens instead of just the one you need? Why would a single endpoint be used for Ably and app auth, when both only need one of the two JWTs?

[mattheworiordan]

This URL doesn't match the server example you have above

[mattheworiordan]

This approach is broken in that a new app token cannot be generated as it's cached at the time of login, instead of obtaining one at the time it's needed

[mattheworiordan]

If that's teh case, why are you not specifying a TTL when issuing the token?

[mattheworiordan]

I am not sure we should be just listing out integrations with random providers like this. It doesn't really flow, at the start we're talking about issuing JWTs ,then we are showing random integrations where with this one we're just showing how to issue a token with Lambda, and then we move onto token renewal. It doesn' feel well thought through, why this order?

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Yes it does, this is needless information as they cannot connect without a clientId

[mattheworiordan]

This is not necessary. If this is needed, the problem of which auth mechanism t use is surely solved?

[umair-ably]

Thanks both @mattheworiordan @paddybyers

I should've made it clear I had not yet reviewed the LLM output, so this at the very least should've been a draft only! I mostly put it up to get a gauge on the kind of content we think we were missing and the placement of it.

However, your comments have massively helped me in understanding the scope of what needs changing in our auth docs, as well as highlighting my limited understanding of exactly what we're trying to tell and recommend to our customers. I've got a session with Mark and Paddy shortly to understand exactly what our position is re: Auth with Ably, what we're trying to tell our customers, and some historical context of how auth has evolved to the point we seem to have deviations in our docs.

I'm trying to solely use LLMs for this, so again, some of these changes are likely subpar as I get a better understanding of the problem later today. For the time-being, I've gone back and forth with Claude to "resolve" (or at least have a stab at resolving) your current comments.

I would ignore this for now until I've had a chance to capture and implement the findings from our meeting later today - this is purely to move the needle and help my own understanding from what you've presented in the comments so far.

Comments on auth/quick-reference.mdx (12 comments)

Comment	Resolved
paddybyers: Why authURL instead of callback?	✅ Added "authUrl vs authCallback" section explaining both
paddybyers: Why native tokens instead of JWT?	✅ Server examples now generate JWTs directly
paddybyers: Security comparison feels like slop	✅ Section removed
paddybyers: Troubleshooting section issues	✅ Section removed
mattheworiordan: Decision matrix unclear	✅ Removed, simplified to code examples
mattheworiordan: Duplicating overview page	✅ Simplified to quick reference focus
mattheworiordan: Server using Realtime not REST	✅ Now uses Ably.Rest server-side
mattheworiordan: getUserIdFromRequest odd name	✅ Now uses req.user?.id (auth middleware pattern)
All troubleshooting/product links comments	✅ These sections removed

Comments on auth/token.mdx (8 comments)

Comment	Resolved
paddybyers: JWT should be primary, not TokenRequest	✅ "Ably JWT is recommended for most use cases"
paddybyers: Serverless in wrong section	✅ Moved to JWT section (stateless)
paddybyers: TokenRequest advantages become disadvantages	✅ Restructured with proper trade-offs
paddybyers: Too much repetition	✅ Cleaned up, table simplified
mattheworiordan: Table values questionable	✅ Table revised with clearer yes/no values

Comments on auth/jwt-integration.mdx (8 comments)

Comment	Resolved
mattheworiordan: Sending both tokens wrong	✅ File simplified, single endpoint approach
mattheworiordan: URL mismatch	✅ Consistent /api/ably-jwt throughout
mattheworiordan: Token caching broken	✅ Now uses proper authCallback pattern
mattheworiordan: No TTL specified	✅ expiresIn: '1h' now included
mattheworiordan: Random provider list	✅ Provider integrations removed
mattheworiordan: getCurrentAppToken confusing	✅ Removed
mattheworiordan: "Next Steps" not used in docs	✅ Section removed

Comments on chat/authentication.mdx (12 comments)

Comment	Resolved
paddybyers: Should recommend JWT	✅ Creates JWTs directly
mattheworiordan: authMethod/authHeaders inconsistent	✅ Examples now consistent using authCallback
mattheworiordan: Send/receive should be separate	✅ Capability table has separate rows
mattheworiordan: Missing annotations/mutations	✅ Table includes annotation-publish, etc.
mattheworiordan: Wrong namespace format	✅ Correct my-room::$chat format
mattheworiordan: "Next Steps" section	✅ Removed

Comments on Chat Room Features (6 comments)

File	Comment	Resolved
rooms/occupancy.mdx	Auth callout irrelevant	✅ Removed
rooms/presence.mdx	Should link to identified-clients	✅ Links to /docs/auth/identified-clients
rooms/reactions.mdx	Should mention identified clients	✅ Now references identified clients
rooms/typing.mdx	Unnecessary auth note	✅ Removed

Comments on chat/setup.mdx (1 comment)

Comment	Resolved
Empty code blocks	✅ All code blocks now have content

Comments on spaces/authentication.mdx & spaces/avatar.mdx (2 comments)

Comment	Resolved
"Next Steps" not used in docs	✅ Removed
Auth note unnecessary in avatar.mdx	✅ Removed

---

Key Changes Made

1. JWT is now the recommended primary auth mechanism throughout all docs
2. Removed unnecessary sections: Security comparison, Troubleshooting, Next Steps, Provider integrations
3. Server examples use REST client instead of Realtime
4. Consistent authCallback examples across all SDKs
5. Accurate capability tables with separate permissions
6. Proper identified client references in Chat features
7. jwt-integration.mdx dramatically simplified from ~430 lines to ~89 lines
8. Fixed empty code blocks in setup.mdx

[paddybyers]

This is really hard to review because it's dominated by changes to the path for the auth docs. Please at least make all of those changes in a separate commit (but I don't see why it's not a separate PR). Then the other material changes can be reviewed.

[umair-ably]

This is really hard to review because it's dominated by changes to the path for the auth docs. Please at least make all of those changes in a separate commit (but I don't see why it's not a separate PR). Then the other material changes can be reviewed.

that's fair - the change was from our meeting in which we wanted auth docs under platform with shorter product auth guides in their respective sections. This then meant leaving the path as docs/auth or changing it to docs/platform/auth... I went with the latter purely because it matches the nav stack. I'll change it for the sake of this PR

[umair-ably]

@paddybyers I also unified the messaging we had when pointing people to the token auth docs... I'll revert this and do that as a separate PR.. just a moment

[umair-ably]

@mattheworiordan @paddybyers

Previous comments should be addressed.

There was a fair few more changes that I'll instead add in a subsequent PR (adding asides to current basic auth code examples which highlight using JWT token in prod, and redirects to ensure links point to the new auth docs location under platform)

[umair-ably]

remove this... duplicate

[umair-ably]

@paddybyers

Undone all nav changes for this PR... All auth docs changes are now isolated to their original location (under pubsub) and new product specific auth pages e.g. Chat and Spaces.

Upcoming PR(s) will reintroduce:

• Moving auth docs from pubsub to platform (and redirects where needed)
• MQTT and SSE docs changes
• Unifying and adding messaging around using JWT token auth where we have basic auth code examples

cc: @m-hulbert

[paddybyers]

Please see the comments. I think this still needs some work.

Discussions relating to auth have lots of scope for ambiguity so please use precise language. Every word has one meaning, and every meaning has one word.

@m-hulbert I'll defer to you on whether or not the restructure makes sense wrt the nav.

Someone from the Chat team needs to review the chat parts - having the ::$chat directive in the capability expression I'm sure is wrong (@splindsay-92 )

[paddybyers]

Suggested change

	Set capabilities in a JWT using the `x-ably-capability` claim. No Ably SDK is required—any JWT library will work:
	Set capabilities in a JWT using the `x-ably-capability` claim. No Ably SDK is required - any JWT library will work:

Please no em-dashes

[paddybyers]

Maybe worth just adding
This example uses jsonwebtoken
?

[paddybyers]

This says nothing about why JWT might not be suitable

[paddybyers]

I think this needs to be more explicit. The capabilities of the resulting token are the intersection of the request capabilities, and those of the issuing API key. (This is also true for JWT.)

The requestToken() request will fail if the intersection is empty - ie the token would have no rights.

This should also mention the gotcha: this intersection behaviour means that a call to requestToken() will succeed, but can fail to provide a token with all of the requested capabilities. If the capabilities of the issuing key are not known by the client, then a successful response to requestToken() should be followed by a check that all of the requested capabilities are present.

[paddybyers]

@m-hulbert Are we happy that "TokenRequest authentication" is the appropriate name in these docs for the native token mechanism?

[m-hulbert]

I think the high-level mechanism should be 'Ably Tokens' personally.

[paddybyers]

Note that this does not apply to presence

I thought we support that now - pls check

[paddybyers]

Suggested change

	Note that the machine on which you are running your auth server should have an accurate clock, as tokens and `TokenRequest` contain a timestamp. You can use an [NTP daemon](https://en.wikipedia.org/wiki/Ntpd), or if you are not able to control your server's clock, you can wish to use the `queryTime` [auth option](/docs/api/rest-sdk/types#auth-options).
	Note that the machine on which you are running your auth server should have an accurate clock, as tokens and `TokenRequest` contain a timestamp and have limited validity. You can use an [NTP daemon](https://en.wikipedia.org/wiki/Ntpd), or if you are not able to control your server's clock, you can wish to use the `queryTime` [auth option](/docs/api/rest-sdk/types#auth-options).

[paddybyers]

Please do not use bold like this. Use a heading if appropriate, or just plain text.

I don't understand why these channel claims are relevant to this use-case - can you explain?

[paddybyers]

Why is this relevant to a multi-tenanted system?

[paddybyers]

I think this is incorrect. A resource specifier in a capability expression will match on the channel name without the directive part.

[paddybyers]

Please don't use bold like this.
Please don't use the word "security" like this. There are words that mean the specific thing you're trying to say.

[m-hulbert]

Thanks Umair.

I can see this starting to take shape, but I think we need to make some larger changes, as we've made a long page even longer (and arguably more complicated) - with the actual code to get up and running 40% down the page.

I think we should split up the token authentication page into 3/4 separate ones;

• Overview
  • Covers anything that is true for all forms of token authentication.
  • I think this needs to mention that authentication is handled by the Pub/Sub SDK and what that means for other products.
• JWTs
  • Just info on JWTs with a mention at the top that it's recommended. authCallback used in examples in all languages - authUrl can be further down with associated examples, but most people will use the callback.
  • Note on when you'd use Ably native Tokens instead in the intro.
• Ably Tokens
  • Note at the top that JWTs are recommended and you'd only use Ably Tokens in these circumstances.
  • All info on Ably Token mechanisms. (I'd also include a token embedded in a JWT on this page personally, but defer to @paddy on the popularity of that).
• Token revocation
  • Makes sense to nest this if we create this section.

We've also added a lot of "JWT is recommended" in places, but I feel we should just stick to the points around length of the JWT and its publicly visible claims. If we create a token authentication overview, I feel all we need to state is 'use JWT authentication unless...". And then reiterate that at the top of the JWT and Ably Token pages.

Can we also ensure we have full coverage for all languages whilst we're updating this please?

[m-hulbert]

I feel this is sort of trying to justify the use of JWTs which I'm not sure is strictly necessary if we position it as the recommended approach. Would be curious on other opinions though.

[m-hulbert]

I'm not sure why some of these rows are bold and others aren't.

[m-hulbert]

We don't tend to write 'this page covers'. This should dive straight into what Chat authentication is, and that it's handled by the Pub/Sub SDK.

We also spoke about this replacing the SDK setup page, so I don't think we should be updating that page, and adding this one as it's just splitting the info between two pages. Especially when this page (which should be the go-to for auth) is only showing JS examples.

[m-hulbert]

We seem to have taken the table from the existing setup page and added more rows unnecessarily.

[m-hulbert]

We should be using the variable for a demo key in all code examples please.

[m-hulbert]

Can we ensure links are included inline rather than having 'see X' or 'read more' everywhere please.

[m-hulbert]

I think most of my comments from chat are relevant here.

[m-hulbert]

This is the first point we're mentioning that space is equivalent to a channel. Before now you have no idea or concept of their relationship.

[m-hulbert]

IIRC the channel name is your-space::$space. I'm not 100% if spaces directives are handled in capabilities automatically the same way that chat ones are though.

[m-hulbert]

Also needs React.

[m-hulbert]

Thanks Umair - still a few things that don't quite match up throughout or are still stating incorrect behaviour.

I think to summarise:

• Code should be available in all languages supported by that SDK client-side. Server-side should cover all popular choices here, but the key is to be consistent wherever we're providing code.
• The Chat directive issue is still included here which I'm 99% sure is wrong.
• There's some content being included in JWTs that is applicable to all auth types.
• We have some odd duplication of tables and content that aren't quite the same, but should be centralised when helping someone choose the right auth mechanism.

[m-hulbert]

I'm not sure 'Ably Tokens' is the correct term here to encompass JWT and what we're referring to as 'Ably Tokens'.

[m-hulbert]

Suggested change

	**Never use API keys in client-side code.** API keys don't expire. Once compromised, they grant indefinite access. Use [token authentication](/docs/auth/token) with tokens that can have narrowly-scoped capabilities, can be short-lived, and can be revoked.
	**Never use API keys in client-side code.** API keys don't expire. Once compromised, they grant indefinite access. Use [token authentication](/docs/auth/token) with tokens that have narrowly-scoped capabilities, are short-lived, and can be revoked.

[m-hulbert]

I think this is a bit odd to have on the overview without any context. I think we've done enough to funnel people to JWTs without it.

[m-hulbert]

We're listing 'authorization' here but then we never use that word again other than referring to the authorize method.

We've also got the obvious bolded list LLM approach here.

[m-hulbert]

Suggested change

	Every Ably app can have one or more API keys associated with it. API keys authenticate directly with Ably or issue tokens. Keys can have different [capabilities](/docs/auth/capabilities), and tokens issued from a key can only have a subset of those capabilities.
	Every Ably app can have one or more API keys associated with it. API keys authenticate directly with Ably or are used to issue tokens.
	Keys can have different [capabilities](/docs/auth/capabilities), and tokens issued from a key can only request a subset of those capabilities.

[m-hulbert]

I think the code might be better directly after 'authentication flow' maybe - WDYT?

[m-hulbert]

I think the code sample needs to be directly below this point.

[m-hulbert]

Link to revocation.

[m-hulbert]

These changes are incorrect.

[m-hulbert]

I think the same changes for Chat need to be applied here too. The only thing I'm not 100% on is the directive usage for Spaces, but I'm pretty sure it's the same as per Chat now.

[paddybyers]

I think there's quite a bit still to do here. Please see comments

[paddybyers]

An authenticated token

I realise that this wording was here before this PR, but I don't think this is correct. I think we should refer to this as an "authentication token".

[paddybyers]

I think this introductory section should say a bit more to give the reader context.

The principal way that token authentication is supported in Ably is JWT tokens...). However, Ably tokens relate to an alternative mechanism that predates Ably's support for JWT. Unlike JWTs, Ably tokens aren't generated by a client but are issued by the Ably service via a /requestToken endpoint; a client generates a signed Token Request and this is exchanged for a token by the Ably service. This means that, in general, integrating an application to use Ably tokens is more involved; Ably tokens also do not support all of the functionality now available with JWTs. However, there are still some circumstances where the use of Ably tokens is recommended:
.. etc

[paddybyers]

This doesn't make any sense. You have to have some reason to be using Ably tokens in the first place. Then, separately, you might have a need to wrap them. If you want to wrap tokens, you can also do that with JWTs, so this by itself isn't a reason to use Ably tokens.

[paddybyers]

This is true, but not relevant to this section.

[paddybyers]

Ably tokens are only ever issued in one way. This discussion is about who performs which part(s) of the process. This should be clearer

[paddybyers]

Suggested change

	* An [`authUrl`](/docs/api/realtime-sdk/types#client-options) or [`authCallback`](/docs/api/realtime-sdk/types#client-options) is provided that returns an Ably-compatible token or an Ably [`TokenRequest`](/docs/api/realtime-sdk/types#token-request).
	* An [`authUrl`](/docs/api/realtime-sdk/types#client-options) or [`authCallback`](/docs/api/realtime-sdk/types#client-options) is provided.

[paddybyers]

Suggested change

	Providing a literal `token` or `tokenDetails` is typically used for testing: since tokens are short-lived, in production you typically want to use an authentication method that allows the client library to renew the token automatically before the current token expires.
	Providing a literal `token` or `tokenDetails` is typically used for testing: since tokens are short-lived, in production you typically want to use an authentication method that allows the client library to renew the token automatically as the current token expires.

[paddybyers]

Suggested change

	Create an endpoint that validates users and returns JWTs with the appropriate Chat capabilities:
	Create an endpoint that validates user-provided credentials and returns JWTs with the appropriate Chat capabilities:

[paddybyers]

This change shouldn't be in this PR

[paddybyers]

It's not a hard requirement to support JWT. I think this should say that Client-side applications must use token auth

[m-hulbert]

This is pretty much there on the main authentication section - just a few odd choices on the Chat and Spaces pages 👍

[m-hulbert]

These two lines seem quite out of place.

[m-hulbert]

Only the JS example uses that package.

[m-hulbert]

Rather than having recommended and alternative in the headings, can we have that in the opening text instead?

[m-hulbert]

Is there a reason we've removed the code examples from other languages? I think we can update these with what you've added in the other files rather than lose them.

[m-hulbert]

With JWTs we could make this text and not have an example in all languages rather than linking out to another page for the info, but for TokenRequests I think it wouldn't hurt to give an example in all languages - seems odd to only provide 2 and then tell people to go elsewhere for the other 4/5.

[m-hulbert]

I'm not sure this fits here. Should it go on the ably tokens page do you think?

[umair-ably]

It was there previously but I moved it up a level since it applies to both token types...

#3085 (comment)

[m-hulbert]

Suggested change

	The primary way that token authentication is supported in Ably is [JWTs](/docs/auth/jwt). However, Ably tokens are an alternative mechanism that predates Ably's support for JWT. Unlike JWTs, Ably tokens are not generated by a client but are issued by the Ably service via a `/requestToken` endpoint; a client generates a signed *Token Request* and this is exchanged for a token by the Ably service. This means that, in general, integrating an application to use Ably tokens is more involved; Ably tokens also do not support all of the functionality now available with JWTs. However, there are still some circumstances where the use of Ably tokens is recommended:
	Ably tokens are an alternative mechanism for authenticating with Ably.
	They are not generated by a client but are issued by the Ably service via a `/requestToken` endpoint; a client generates a signed `Token Request` and this is exchanged for a token by the Ably service. Generally, integrating an application to use Ably tokens is more involved as Ably tokens also do not support all of the functionality available to JWTs.
	[JWTs](/docs/auth/jwt) are the recommended mechanism for authenticating with Ably, however there are still some circumstances where the use of Ably tokens may be preferred:

[m-hulbert]

These shouldn't be prefixed with realtime_ as there is only a single Chat interface. Also many of these are redundant on the client because we only have JS, React, Swift and Kotlin SDKs available - we're missing React and have a raft of others that don't exist.

[m-hulbert]

The order of items on the page should match chat please.

[m-hulbert]

Same comment as for Chat, however Spaces only supports JS and React.