If you see Grant API calls in your usage page after disabling the Access Manager feature, it's important to understand that disabling it in the admin dashboard does not stop authentication tokens from being issued.
The design allows tokens to be generated and distributed before enabling the feature, preventing the service from returning 403 Forbidden errors afterward.
Disabling Access Manager stops user permission validation during API execution. The Grant API, however, is a strictly server-side operation that uses a secret key (with root permissions) to issue authentication tokens. Once implemented, the API functions even with Access Manager feature disabled.
To successfully stop Grant API calls, you must remove the Grant API from your codebase.
//Javascript
try {
const token = await pubnub.grantToken({
ttl: 15,
authorized_uuid: "my-authorized-uuid",
resources: {
channels: {
"my-channel": {
read: true,
},
},
},
});
} catch (status) {
console.log(status);
}
To learn more about the feature, visit our official Access Manager documentation page.