Authentication

To connect your app to the Aircore platform, you must use an API key with one of our SDKs.

You can choose between publishable and secret API keys depending on your needs:

Use a publishable API key to get started with Aircore.
Use a secret API key for more flexibility and security. Secret API keys require a backend, so the setup is more complex.

Publishable API keys

You can use a publishable API key directly in your app. You typically use a publishable API key if your app does not have a backend.

Flow diagram for publishable API keys.

The same publishable API key allows more than one user to connect. If a user manages to access the key, they could abuse it by adding it to another app. If this happens, you need to delete the key and update your app with a new one.

For more flexibility and security, you can use a secret API key.

Secret API keys

You can use a secret API key with your backend. Your backend uses the secret API key to request session authorization tokens (session auth tokens). Each user of your app connects using a different session auth token.

Secret API keys offer the best flexibility and security. Session auth tokens use cryptographic signing to resist tampering. We recommend secret API keys for most apps.

You can also use a secret API key to access Aircore services such as cloud recording.

Flow diagram for secret API keys.

Our SDKs notify your app when a session auth token is about to expire. Your app can then request a new token from your backend.

Get an API key

To get an API key:

Go to the Developer Console and log in.
Click Apps in the left menu, then click Create New App.
Create only one app for all platforms that your app supports.
Creating separate apps in the console splits your users into groups that can't see each other.
Copy a publishable or secret API key.
Use your API key with any Sync Audio, Sync Chat, or Flex SDK. All SDKs support both types of API keys.

Get a session auth token

If you use a secret API key, your backend requests session auth tokens from our provisioning service. The service provides a REST API.

Request

Replace the text SECRET_API_KEY in these samples:

curl -X POST "https://provisioning.aircore.io/session_access" \
-H "Authorization: Bearer SECRET_API_KEY" \
-H "Content-Type: application/json" \
-d '{
  "token_lifetime": 86400,
  "user_id": "user123",
  "channel_id": "channel123",
  "services": {
    "media": {
      "allow_publish_audio": true,
      "allow_publish_video": true
    }
  }
}'

See the full API reference: Session authorization tokens.

Keep your API keys safe

You must protect both publishable and secret API keys.

You can use more than one API key at a time. For example, you can create separate publishable API keys for each platform. This limits the cost of exposure of any one key.

Protect publishable API keys

You can keep a public API key in secure storage on the client or retrieve it at runtime. This lowers the risk of a user abusing the key.

Protect secret API keys

Treat a secret API key like a password:

❌ Don't embed it in your app.
❌ Don't check it into source control.
✅ Grant access only to those who need it.
✅ Use a password manager to store it and manage access.

Delete an API key

To delete an API key you no longer need, use the Developer Console. Deleting an API key revokes its access to the Aircore platform.

Your app can have more than one active API key. To transition between keys, roll out a new key to your systems before deleting the old one.

More info

To continue learning about Aircore, see Channels.