Ably's authentication system allows a set of capabilities to be configured for the tokens that are issued to clients. Capabilities can also be set on API keys themselves, but that is rarely the right way to restrict what clients can access as tokens provide far more flexibility and are safer to distribute to clients.
In order to understand how capabilities can be used to secure your app and which channels a client can access, please see the following documentation and articles:
- A quick introduction to Ably's two authentication schemes - basic (using an API key) and token authentication
- Token authentication explained
- Capabilities explained which describes specifically how you can configure which channels a client can access and what operations they can perform on each channel. Additionally, we have an example you can run in your browser.
- The Realtime library authentication documentation with an example of how a client can use token authentication