Generating Tokens without Server Side SDK

During AngelHack, Alexander Ramirez came up to me with a puzzle. “How do I generate sessions and tokens?” He asked. Normally, I would have told him to use one of our server side SDKs, but he was building a browser plugin with video chat and wanted to use our REST API instead. Getting the SessionId is easy, it’s a simple POST request. However, generating token is not so straightforward because it is generated algorithmically. This tutorial will show you how to generate a token, and examples used here will be written in JavaScript.

Tokens are base64 encoded string with the following data fields: partner_id, sig, session_id, create_time, expire_time, role, connection_data, and nonce.

First, let’s generate the simple fields.

session_id can be created by sending a post request to our server.

Create_time is stored in seconds so we need to write

expire_time can be set set to 24 hours (86400 seconds) from today, so it’s value is create_time + 86400

role if I want my user to be able to record the session and force others to disconnect, I would put ‘moderator’ here

connection_data We can put in the user name for data, which in this case can just be “bob”

nonce is a random number, Math.floor( Math.random()*99999 )

The trickest value to generate is the sig key, which is used to verify these token values. To generate this encrypted signature, we need to use Keyed-hash message authentication codes. Fortunately, there is a javascript library called Crypto that let’s us do just that.

We will use progressive HMAC Hashing, so we will first need to generate a HMAC object with our secret, pass in our token values, and then finalize the HMAC.

var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA1, "Secret Passphrase");
var hash = hmac.finalize();

If you now print out this sig as a string, it should look something like this: 58ceea3adfd277c02545e3eaef23dfcf94496803

Now time to put all these values together into one string:


Base64 encode this new string and then add the “T1==” to the beginning of the encoded string. You can now use this token to authenticate yourself to that specific session.

Here’s the full code

With that said, please be aware that you should never expose your secret in your client side code due to security concerns.

Thanks for reading,


  • Nick

    Thanks, Song. This is really helpful. One question that I could probably figure out myself but thought I would just ask on here in case others are looking for the answer: How is this done using the iOS SDK? I would think that generating the sig key would be done differently if nothing else. One other thing that could be useful is a tutorial for integrating with mobile backend solutions like Parse, which are becoming increasingly common.

  • Pingback: TokBox tout de suite - Elitist

  • Gabriel Díaz

    In your text you have:

    var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA256, “Secret Passphrase”);

    but in your code you have:

    var hmac = CryptoJS.algo.HMAC.create(CryptoJS.algo.SHA1, secret);

    So which one is the correct? i guess it’s SHA1, but just in case… ;)

    • Ankur Oberoi

      Great catch! You are correct and it is supposed to be SHA1. Thank you.

  • Adam Dennis

    I feel as though this would be a very common question, and should be linked to from this page:

    • Song Zheng

      Hey Adam! You are correct! Will file this as a task on Jira to add it into our docs. Thanks for pointing this out!

      • Adam Dennis

        Thanks for the acknowledgement :)

    • Ankur Oberoi

      @disqus_ZAfulnwsbN:disqus just wanted you to know that this is not meant to be done anywhere than locally during development as a shortcut. embedding your API Secret on a webpage that is readable to the world can cause others to take control of your account and make you responsible to foot the bill.

      • Adam Dennis

        Hey Ankur,

        Thanks for the reply.
        You’re very correct in this, and it was just for testing… It would be crazy-bad for others to
        I’ve since decided to use your NodeJS library from github, and am generating a new session and token for each new video chat I start.


  • ermannofaccio


  • Darragh Duffy

    this is a very similar algorithm to oAuth; can I assume this algorithm is still used for the token generation; and is their an expectation this algorithm will change. I basically have to write a server side version for this because we cant use one of the existing libs easily.