Token Authentication with Netlify Functions

Secure your App key and App secret using a back-end service with Netlify functions.



Features Tech Stack
  • One-click deployment to Netlify
  • Use environmental variables to secure API Keys
  • JavaScript
  • Netlify Functions

Getting Started

Clone the Repository

git clone
cd communications-api-token-server-netlify

Follow Setup Instructions

✓ Sign up for Netlify
✓ Click the Deploy to Netlify button on the page
✓ Enter your App key and App secret as variables

Key Concepts

Initialize the SDK with secure authentication

In this example, our token authentication is accomplished by a serverless function that uses an Authentication API to retrieve an access token on behalf of the front end. This process is more secure than directly passing your API secrets which could be exposed during production. Instead, the token authentication server securely passes a token that allows the conferencing app to make an API request on behalf of the user over an HTTPS encrypted connection. This prevents API secrets from leaking and offers a more secure experience for users.

The following diagram illustrates the workflow of the secure authentication model.


The examples shown use the API presented by the sample server for communication between the application and the Netlify serverless function. The examples assume that this communication is secure and the application is trusted. In a production scenario, the token service should be further restricted to your specific authenticated application.

Front end client application

With the secure token authentication set up on the serverless backend, the frontend client application can initialize the app with the secure token; and easily call the Communications Client SDKs allowing for access to all SDK functionality.

The code below highlights how the token is used to initialize the SDK:

// URL to our serverless Token function
const tokenUrl = '<* URL TO YOUR TOKEN SERVER ENDPOINT *>';

async function getTokenAndInitalize() {
    try {
        // Get the initial access token
        const accessToken = await getAccessToken();
        // Initialize the SDK
        VoxeetSDK.initializeToken(accessToken, getAccessToken);

        // SDK is initialized, now you can start conference, 
        // and other methods on the sdk.
    } catch (error) {

 // This callback is called when the token needs to be refreshed.
async function getAccessToken() {
    try {
        const response = await fetch(tokenServerURL);
        const json = await response.json();
        return json.access_token;
    } catch (error) {