To keep your keys secure, the recommendation is to pass the keys back after the user has been authenticated by your login process. No, this still does not prevent someone from snooping the live values, but there is a solution that PubNub provides: Access Control.
- Enable Access Control on your PubNub key set.
- Connect to your server for login with TLS (formerly SSL).
- During your login process, upon successful authentication, grant read and/or write access to an auth-key (that you generate) to channels for this authenticated user. You can set a ttl (time to live) for the grants to whatever you want (default is 1440 = 24 hours).
- Pass the pub, sub and auth keys back to the authenticated user.
- When you initialize PubNub in your client code, use the pub, sub and auth keys and set the TLS parameter to true (3x SDKs param is named SSL).
- Optionally, you can provide a cipher key to enable AES256 encryption.
- With Access Control, even a malicious user can not gain access to channels that they were not authorized to access by your server.