Yes, by default all of our client libraries use TLS when communicating with Ably over REST or via our Realtime transports such as Websockets.  We do not charge customers for using TLS and actively encourage everyone to use TLS as it provides a secure transport for communication with Ably.


If however, you want to disable TLS (typically to reduce communication overhead for public data streams), you can specify tls: false in your client options when instancing a Realtime or REST library, see the ClientOptions documentation.  Please note that unencrypted communication with Ably is disallowed if any of the following conditions are met:


  • You attempt to use Basic Authentication and thus transmit a private API key over an unencrypted connection.  You are only permitted to use unencrypted connections with Token Authentication as tokens expire thus limiting the impact of the token being intercepted by a third party.
  • You have specified that TLS is required in your app settings.
  • A client using an unencrypted connection attempts to attach to a channel that is configured to be used with TLS only. Find our more about channel rules.

Additional encryption

Whilst TLS encryption ensures that messages in transit to and from Ably cannot be intercepted, inspected, or tampered with, it does not ensure that the Ably service itself is unable to (in theory) inspect your messages and their content.  If you want to ensure that all messages are encrypted and inaccessible to even Ably, please consider using our private key symmetric encryption included in our client libraries.