Basic auth
Basic authentication is the simplest way to authenticate with PUBQ. It requires passing an API key when instancing an SDK.
API keys are private. They should never be shared with untrusted parties, and as such, should only be used by your trusted secure servers when authenticating with PUBQ.
The following is an example of using basic authentication:
const realtime = new Pubq.RealTime({ key: "q4D9G2.rGQK1W:9pWbndVJg50MaOPAapAx7LQ_zKw6YvXl2B" });Basic auth architecture
The diagram below illustrates the authentication process used by PUBQ SDKs to authenticate with PUBQ using basic authentication:
When to use basic auth
PUBQ recommends that basic authentication is only used server-side because of the following potential issues:
- The secret is passed directly by the client to PUBQ, so it is only permitted for connections that are over TLS, to prevent the key secret being intercepted.
- All of the configured capabilities of the key are implicitly possible in any request, and clients that legitimately obtain this key may then abuse the rights for that key.
- A client that authenticates using an API key can claim any client ID it chooses. Therefore this client ID cannot be trusted to represent the genuine identity of the client. Client IDs should be assigned by the server, once the client’s credentials have been authenticated.
When selecting a PUBQ SDK for implementing basic authentication with PUBQ, you don’t need to use the realtime interface.
As basic authentication is primarily designed for authenticating a secure server, it is more efficient to use the REST interface of a PUBQ SDK. This is because the overhead associated with maintaining a realtime connection is not required. However, this is only true when the server is used solely for authentication.
