logo
ConsoleSign Up
Document
Client API
Server API
Video Call
Cocos Creator: TS
Introduction
Overview
Product Features
Differences between Video Call SDK and Voice Call SDK
Client SDK
Download SDK
Release Notes
Common Error Codes
Quick Start
Running Demo Source Code
Integrating SDK
Implement Video Call (Native Platforms)
Implementing Video Call (Web)
Scenario-based Audio/Video Configuration
Connect to ZEGOCLOUD Document MCP Serverlink
Communication
Audio
Video
FAQ
On this page

Using Token Authentication

2026-03-05

Feature Introduction

Authentication refers to verifying whether users have permission to access the system to avoid security risk issues caused by lack of permission control or improper operation. ZEGO authenticates users through Token (including basic authentication Token and privilege authentication Token).

Authentication MethodDescriptionApplication Scenario
Basic Authentication TokenDevelopers must bring the Token parameter when logging into the room to verify the legitimacy of the user.Basic authentication Token is the basic capability of Token, used for simple permission verification scenarios in business. In most cases, generating this Token is sufficient.
Privilege Authentication TokenTo further improve security, room ID and stream ID permission bits are opened, which can verify the login room ID and stream ID.General usage scenarios for room ID and stream ID permission bits are as follows:
  • Rooms have the distinction between ordinary rooms and member rooms, and it is necessary to control non-member users from logging into member rooms.
  • In voice chat rooms or show live streaming, it is necessary to control the consistency between streaming users and users on the mic to prevent the "ghost mic" phenomenon, that is, hearing the voice of users not on the mic in the room.
  • In speaking games such as Werewolf, it is necessary to prevent hackers from using other user IDs to log into the same room after cracking the application, obtaining information about the game progress to cheat, affecting the gaming experience of normal users.

Prerequisites

Warning
  • Only ZEGO Express SDK version 2.17.0 and above supports using Token authentication as described in this document.
  • If you have integrated ZEGO Express SDK version before 2.17.0 (using AppSign authentication) and now want to upgrade to version 2.17.0 and use Token authentication, you can learn more about AppSign authentication and Token authentication through the How to upgrade from AppSign authentication to Token authentication document.

Process Overview

When using Token authentication, developers need to generate Token first, and then log into the room with Token. The ZEGO server verifies users with Token.

Taking using Token to determine whether users can log into the room as an example to introduce the usage process, as shown in the following figure:

  1. The developer client initiates a request to apply for Token.
  2. Generate Token on the developer's server and return it to the developer client.
  3. The developer client carries the applied Token and userID, roomID information to log into the corresponding room.
  4. ZEGO SDK will automatically send Token to the ZEGO server for verification.
  5. The ZEGO server will return the verification result to the ZEGO SDK.
  6. The ZEGO SDK then directly returns the verification result to the developer client, and clients without permission will fail to log in.

Generate Token and Use

This section will detail how developers generate Token through the server, how to use Token, and how to handle Token expiration.

1 Get AppID and ServerSecret

Generating Token requires the AppID, the unique identifier of the developer project, and the ServerSecret key. Please refer to "Project Information" in Console - Project Management to obtain them.

After the developer obtains the AppID and ServerSecret information of the project, they can generate Token on their own server according to actual business needs. The developer client sends a request to apply for Token to the developer server, and the developer server generates Token and returns it to the corresponding client.

2 Generate Token on Server

Warning
  • For your convenience during development and debugging, we provide the ZEGO Token Assistant to generate temporary Tokens.
  • For business security, you must generate Tokens on your app server; Otherwise, there is a risk of ServerSecret being stolen.
  • After generating a Token on your own server, if you need to verify its validity, you can also use the ZEGO Token Assistant for verification.

ZEGO Token Assistant

This tool runs locally in browser and does not send data to server. Do not expose ServerSecret in production, use for debugging only.

ZEGO provides an open source zego_server_assistant plugin on GitHub/Gitee. Please use the "token04" version in the plugin to generate Token. The plugin supports Go, C++, Java, Objective-C, Python, PHP, .NET, Node.js languages:

LanguageSupported VersionKey FunctionPlugin Download AddressUsage Example
Basic Authentication TokenPrivilege Authentication Token
GoGo 1.14.15 or aboveGenerateToken04
C++C++ 11 or aboveGenerateToken04
JavaJava 1.8 or abovegenerateToken04
PythonPython 3.6.8 or abovegenerate_token04
PHPPHP 5.6 or abovegenerateToken04
.NET.NET Framework 3.5 or aboveGenerateToken04
Node.jsNode.js 8 or abovegenerateToken04

Taking Go language as an example, developers can refer to the following steps to use zego_server_assistant to generate Token:

  1. Use the command git clone https://github.com/zegoim/zego_server_assistant to get the dependency package.
  2. In your code, introduce the plugin through import "github.com/zegoim/zego_server_assistant/token/go/src/token04".
  3. Call the GenerateToken04 method provided by the plugin to generate Token.
Warning

When running the Java source code for generating Token, if the "java.security.InvalidKeyException

Key Size" exception prompt appears, please refer to Related FAQ Document to solve it.

3 Use Token

Users carry the obtained Token and user, roomID information to log into the corresponding room.

Warning

The userID used when calling the loginRoom interface to log into the room must be consistent with the userID used when "4.2 Generate Token on Server".

let roomConfig = new ZegoRoomConfig()
roomConfig.token = 'xxxxxxxx' // Request from developer server to obtain

// Login room
this.engine.loginRoom('your_room_id', new ZegoUser('user_id'), roomConfig)

If developers need to modify the user's publishing permission after the user logs into the room, they can also call the renewToken interface to update the permission. After updating, it will affect the next publishing permission. The previously successful publishing will not be affected.

let token = 'xxxxxxxx' // Re-request from developer server to obtain Token
this.engine.renewToken('your_room_id', token)

4 Handling Token Expiration

Warning

Token expiration may cause issues such as publishing and playing exceptions. Please strictly follow the instructions below to handle expired Tokens in a timely manner.

30 seconds before Token expires, the SDK will send a notification through the onRoomTokenWillExpire callback; after Token expires, when logging into the room again, you will receive the 1002078 (Token expired) error code through onDebugError or onRoomStateChanged.

After receiving the Token expiration callback or Token expiration error code, developers need to obtain a new valid Token from their own server and call the renewToken interface provided by the SDK to update the Token.

If you have integrated ZEGO Express SDK version 2.17.0 or above, after Token expires, if you do not call the renewToken interface to update Token, when the permission expires:

  • Logged in users will not be kicked out of the room.
  • Currently successful publishing and playing will not be affected. However, after stopping publishing, you cannot publish again unless you update the Token.
Note

ZEGO also provides another Token expiration handling method. You can contact ZEGO Technical Support to configure:

  • Logged in users will be kicked out of the room, and can only log into the room again after updating Token.
  • Currently successful publishing will be stopped.
onRoomTokenWillExpire(roomID: string, remainTimeInSecond: number): void {
  let token = 'xxxxxxxx' // Re-request from developer server to obtain Token
  this.engine.renewToken('your_room_id', token)
}

Other

If you cannot distribute Token through the server during development, you can first use client-side code to generate Token, and then complete the integration after the server development is completed.

Warning
  • When the App goes online, do not generate Token on the client side, otherwise your ServerSecret will be at risk of exposure.
  • To ensure security, it is strongly recommended to use the server to generate Token, otherwise there is a risk of ServerSecret being stolen.

Reference information for each language of zego_server_assistant plugin used to generate Token on the client side:

LanguageSupported VersionKey FunctionSpecific Address
C++C++ 11 or aboveGenerateToken04
JavaJava 1.8 or abovegenerateToken04
Objective-C-GenerateToken04

To use client-side to generate Token, please refer to Using Token.

If Token expires, please refer to Handling Token Expiration for handling.

API Reference

MethodDescription
loginRoomLogin room
renewTokenRenew Token
onRoomTokenWillExpireToken expiration callback

How to prevent ghost mic or room bombing in audio/video interaction?

Previous

Scenario-based Audio/Video Configuration

Next

Traffic Control

On this page

Back to top