Client Authentication

The client SDKs provide the initializeToken method to authenticate against the service.

In order to protect the consumer secret, the best practice is to build and maintain an authentication server, which has access to your consumer secret, and can act as a proxy to retrieve an access token from the Communications APIs platform and return the token to the client application. The client application can use the initializeToken method to authenticate with the platform. As a Communications APIs customer, it is your responsibility to protect this authentication server from unauthorized access.

The access token has a default validity period; it can be customized to a shorter duration to further improve the security of the access token. For more information, refer to the latest Authentication API.

A demo access token can be generated from the developer dashboard and expires after 12 hours.

Before using the SDK in your project, find your Key and Secret by following these steps:

  1. Log into the developer dashboard. A list of applications appears in your account summary.
  2. Locate your application from the APPLICATIONS list and click the API KEYS icon.
  3. From the APIs section, copy your Key and Secret.

Initialize the SDK with secure authentication

The Communications APIs provide an easy to use server-side RESTful API that allows customers’ servers to act as brokers that refresh tokens, so the application secrets are not distributed over the Internet.

The following diagram illustrates the workflow of the secure authentication model.


The secure Auth sequence

Customer’s server

A sample server can be found within the voxeet-io-web repository. The README file explains how to run the server with the secrets for your application.

The examples shown use the API presented by the sample server for communication between the application and the server. The examples assume that this communication is secure and the application is trusted. In a real service, the application’s user would need to log into this server.

Initial authentication

The customer’s server, acting as an authentication broker, needs the application key and secret to authenticate against the /oauth2/token API.
The access token is returned and the customer’s server passes it back to the application.
Upon receiving the access token from the customer’s server, the application calls the initializeToken API to initialize the Communications Client SDKs.

The customer’s server can request the access token with:

const CONSUMER_KEY = "consumerKey";
const CONSUMER_SECRET = "consumerSecret";
const authHeader = "Basic " + btoa(encodeURI(CONSUMER_KEY) + ":" + encodeURI(CONSUMER_SECRET));

const tokenURL = "";
const tokenParams = {
  method: "POST",
  headers: {
    Authorization: authHeader,
  body: {
    grant_type: "client_credentials",

const response = await fetch(tokenURL, tokenParams);
const jwt = await data.json();

console.log(`returned access_token is ${jwt.access_token}`);

// Return the access_token to the application
return jwt.access_token;

The application can initialize the SDK once it has received the access token from the customer’s server.