To keep your keys secure, the recommendation is to pass the keys back after the user has been authenticated by your login process. No, this still does not prevent someone from snooping the live values, but there is a solution that PubNub provides: Access Manager.
- Enable Access Manager on your PubNub key set.
- Connect to your server for login with TLS (formerly SSL).
- During your login process, upon successful authentication, grant read and/or write access to an auth token (that you generate) to channels for this authenticated user. You can set a ttl (time to live) for the grants to whatever you want (minimum 1 minute; maximum 43200 minutes).
- Pass the pub, sub and set auth token to the authenticated user.
- When you initialize PubNub in your client code, use the pub, sub, set the auth token and set the TLS parameter to true (3x SDKs param is named SSL).
- Optionally, you can provide a cipher key to enable AES256 encryption.
- With Access Manager, even a malicious user can not gain access to channels that they were not authorized to access by your server.
See also: