Both the REST API and the Realtime API use common authentication mechanisms and support Token and Basic authentication.


This is based on having a series of API keys set up for each application. Each API key is configured via the dashboard and exposed as a single string such as xVLyHw.b4EB6g:MAVW7HX7u5OjqO5n which contains information that identifies the key as well as containing the “secret” key value.


Basic Authentication


The simplest method for authentication with Ably is to use the API key string when instancing the client library Basic Authentication passing the key string to the client library. See the Quick Start Guide for a simple example of connecting to Ably with Basic Authentication.

Token Authentication - recommended


Basic authentication is simple, but suffers from a number of problems that might make it unsuitable for certain use cases:

  • the secret is passed directly by the client to Ably, so it is not suitable for connections that are not over TLS (HTTPS or non-encrypted realtime connections)
  • the secret may be required to be embedded in a script on a public site
  • all of the configured capabilities of the key are implicitly possible in any request, and clients that legitimately obtain the secret may then abuse the rights conferred by that key


Token Authentication


The aforementioned issues with Basic Authentication are addressed by using token-based authentication, which is our recommended authentication scheme. Tokens are authentication credentials that only have a short lifetime, and therefore they may more readily be distributed to clients where there is a risk of compromise. Tokens may also be issued with a particular scope – such as a limited set of access rights, or being limited to use by a specific client – and therefore token-based authentication provides the flexibility to implement access control policies in the application. 


Get an in-depth overview of both Basic and Token Authentication in our documentation