[FTF-468] Several docs changes to highlight token auth over API key auth, as well as more info on using JWTs

[umair-ably]

Description

• Restructures auth documentation to recommend token authentication (specifically Ably JWT) as the default for client-side applications
• Adds new dedicated authentication pages for Chat and Spaces products
• Expands token auth documentation with a comparison table of token mechanisms and clearer guidance on choosing between Ably JWT, TokenRequest, and Embedded JWT
• Updates auth landing page with a quick reference table and starter code example
• Streamlines capabilities and identified-clients pages for clarity

Motivations/Objectives:

• JWT Token Auth becomes the obvious and clear auth pattern for production code.
• Customer's are easily able to navigate the docs site to find the appropriate auth info e.g. product specific auth guidance is nested in the product section. Auth is moved under platform. (Will be added in a later PR)

Checklist

• Commits have been rebased.
• Linting has been run against the changed file(s).
• The PR adheres to the writing style guide and contribution guide.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[paddybyers]

I've commented on much of this but stopped around half way through. I think it needs significant revision to make JWT the primary recommended route. The narrative and examples all need updating to reflect this.

A lot of this is slop - it's been AI-generated and not critically reviewed.

[paddybyers]

Why are we suggesting authURL instead of callback here? Does it not need at least some comment?

[paddybyers]

Why is this using native tokens, instead of generating a JWT?

[paddybyers]

I'm not convinced this section adds anything. It feels like slop.

[mattheworiordan]

really a duplciate of https://ably-docs-authchanges-py2loc0j.herokuapp.com/docs/auth#selecting-auth. I do thinkg repetition is good at times, but why here?

[paddybyers]

These are not the only things that could go wrong, or even the most likely things that could go wrong.

Error 40103: Token expired

Not according to https://github.com/ably/ably-common/blob/main/protocol/errors.json#L40

If we're going to retain this section we should also refer to:
40160: incorrect capabilities
80019: error in auth callback/url
40171: no means to renew token

Perhaps we should defer adding this section until we've got the more thorough error code documentation landed?

[mattheworiordan]

Why do we need troubleshooting at all? We have error codes and paths. Do we think people are going to read this and pre-empty troubles?

[paddybyers]

I don't agree with this. We recommend JWT in all circumstances that they can be used. There are only two situations where you would use native tokens:

• where the capabilities list is so large that a literal token is unworkable;
• where the capabilities or clientId are sensitive in some way, and there is a desired to keep them confidential, even if inspecting the token.

Of these, I'm not sure we should even mention the second one because it's such an unusual case.

[paddybyers]

This is irrelevant. I suggest removing it.

[paddybyers]

This should refer to identified clients.

[paddybyers]

This is incorrect advice. It should state instead that a client needs to be identified in order to use certain reaction types. It does not imply the use of token auth.

[paddybyers]

I don't understand why this comment is here. Doesn't the chat SDK ensure that a client is always identified?

[mattheworiordan]

Yes it does, this is needless information as they cannot connect without a clientId

[paddybyers]

Again, we should be recommending JWT auth.

[mattheworiordan]

Thanks for submitting. Good to see you take a stab at dealing with the LLM auth issues, but I think this PR needs a lot more human review by yourself before it's sent for others to review. Lots of obvious problems as it appears to have been pumped out directly from an LLM, which is great to move quickly, but thiks is our docs, and is representative of whether we care to customers.

[mattheworiordan]

I am not sure this is what we'd recommend, always sending both tokens instead of just the one you need? Why would a single endpoint be used for Ably and app auth, when both only need one of the two JWTs?

[mattheworiordan]

This URL doesn't match the server example you have above

[mattheworiordan]

This approach is broken in that a new app token cannot be generated as it's cached at the time of login, instead of obtaining one at the time it's needed

[mattheworiordan]

If that's teh case, why are you not specifying a TTL when issuing the token?

[mattheworiordan]

I am not sure we should be just listing out integrations with random providers like this. It doesn't really flow, at the start we're talking about issuing JWTs ,then we are showing random integrations where with this one we're just showing how to issue a token with Lambda, and then we move onto token renewal. It doesn' feel well thought through, why this order?

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Yes it does, this is needless information as they cannot connect without a clientId

[mattheworiordan]

This is not necessary. If this is needed, the problem of which auth mechanism t use is surely solved?

[umair-ably]

Thanks both @mattheworiordan @paddybyers

I should've made it clear I had not yet reviewed the LLM output, so this at the very least should've been a draft only! I mostly put it up to get a gauge on the kind of content we think we were missing and the placement of it.

However, your comments have massively helped me in understanding the scope of what needs changing in our auth docs, as well as highlighting my limited understanding of exactly what we're trying to tell and recommend to our customers. I've got a session with Mark and Paddy shortly to understand exactly what our position is re: Auth with Ably, what we're trying to tell our customers, and some historical context of how auth has evolved to the point we seem to have deviations in our docs.

I'm trying to solely use LLMs for this, so again, some of these changes are likely subpar as I get a better understanding of the problem later today. For the time-being, I've gone back and forth with Claude to "resolve" (or at least have a stab at resolving) your current comments.

I would ignore this for now until I've had a chance to capture and implement the findings from our meeting later today - this is purely to move the needle and help my own understanding from what you've presented in the comments so far.

Comments on auth/quick-reference.mdx (12 comments)

Comment	Resolved
paddybyers: Why authURL instead of callback?	✅ Added "authUrl vs authCallback" section explaining both
paddybyers: Why native tokens instead of JWT?	✅ Server examples now generate JWTs directly
paddybyers: Security comparison feels like slop	✅ Section removed
paddybyers: Troubleshooting section issues	✅ Section removed
mattheworiordan: Decision matrix unclear	✅ Removed, simplified to code examples
mattheworiordan: Duplicating overview page	✅ Simplified to quick reference focus
mattheworiordan: Server using Realtime not REST	✅ Now uses Ably.Rest server-side
mattheworiordan: getUserIdFromRequest odd name	✅ Now uses req.user?.id (auth middleware pattern)
All troubleshooting/product links comments	✅ These sections removed

Comments on auth/token.mdx (8 comments)

Comment	Resolved
paddybyers: JWT should be primary, not TokenRequest	✅ "Ably JWT is recommended for most use cases"
paddybyers: Serverless in wrong section	✅ Moved to JWT section (stateless)
paddybyers: TokenRequest advantages become disadvantages	✅ Restructured with proper trade-offs
paddybyers: Too much repetition	✅ Cleaned up, table simplified
mattheworiordan: Table values questionable	✅ Table revised with clearer yes/no values

Comments on auth/jwt-integration.mdx (8 comments)

Comment	Resolved
mattheworiordan: Sending both tokens wrong	✅ File simplified, single endpoint approach
mattheworiordan: URL mismatch	✅ Consistent /api/ably-jwt throughout
mattheworiordan: Token caching broken	✅ Now uses proper authCallback pattern
mattheworiordan: No TTL specified	✅ expiresIn: '1h' now included
mattheworiordan: Random provider list	✅ Provider integrations removed
mattheworiordan: getCurrentAppToken confusing	✅ Removed
mattheworiordan: "Next Steps" not used in docs	✅ Section removed

Comments on chat/authentication.mdx (12 comments)

Comment	Resolved
paddybyers: Should recommend JWT	✅ Creates JWTs directly
mattheworiordan: authMethod/authHeaders inconsistent	✅ Examples now consistent using authCallback
mattheworiordan: Send/receive should be separate	✅ Capability table has separate rows
mattheworiordan: Missing annotations/mutations	✅ Table includes annotation-publish, etc.
mattheworiordan: Wrong namespace format	✅ Correct my-room::$chat format
mattheworiordan: "Next Steps" section	✅ Removed

Comments on Chat Room Features (6 comments)

File	Comment	Resolved
rooms/occupancy.mdx	Auth callout irrelevant	✅ Removed
rooms/presence.mdx	Should link to identified-clients	✅ Links to /docs/auth/identified-clients
rooms/reactions.mdx	Should mention identified clients	✅ Now references identified clients
rooms/typing.mdx	Unnecessary auth note	✅ Removed

Comments on chat/setup.mdx (1 comment)

Comment	Resolved
Empty code blocks	✅ All code blocks now have content

Comments on spaces/authentication.mdx & spaces/avatar.mdx (2 comments)

Comment	Resolved
"Next Steps" not used in docs	✅ Removed
Auth note unnecessary in avatar.mdx	✅ Removed

---

Key Changes Made

1. JWT is now the recommended primary auth mechanism throughout all docs
2. Removed unnecessary sections: Security comparison, Troubleshooting, Next Steps, Provider integrations
3. Server examples use REST client instead of Realtime
4. Consistent authCallback examples across all SDKs
5. Accurate capability tables with separate permissions
6. Proper identified client references in Chat features
7. jwt-integration.mdx dramatically simplified from ~430 lines to ~89 lines
8. Fixed empty code blocks in setup.mdx

[paddybyers]

This is really hard to review because it's dominated by changes to the path for the auth docs. Please at least make all of those changes in a separate commit (but I don't see why it's not a separate PR). Then the other material changes can be reviewed.

[umair-ably]

This is really hard to review because it's dominated by changes to the path for the auth docs. Please at least make all of those changes in a separate commit (but I don't see why it's not a separate PR). Then the other material changes can be reviewed.

that's fair - the change was from our meeting in which we wanted auth docs under platform with shorter product auth guides in their respective sections. This then meant leaving the path as docs/auth or changing it to docs/platform/auth... I went with the latter purely because it matches the nav stack. I'll change it for the sake of this PR

[umair-ably]

@paddybyers I also unified the messaging we had when pointing people to the token auth docs... I'll revert this and do that as a separate PR.. just a moment

[umair-ably]

@mattheworiordan @paddybyers

Previous comments should be addressed.

There was a fair few more changes that I'll instead add in a subsequent PR (adding asides to current basic auth code examples which highlight using JWT token in prod, and redirects to ensure links point to the new auth docs location under platform)

[umair-ably]

remove this... duplicate

[umair-ably]

@paddybyers

Undone all nav changes for this PR... All auth docs changes are now isolated to their original location (under pubsub) and new product specific auth pages e.g. Chat and Spaces.

Upcoming PR(s) will reintroduce:

• Moving auth docs from pubsub to platform (and redirects where needed)
• MQTT and SSE docs changes
• Unifying and adding messaging around using JWT token auth where we have basic auth code examples

cc: @m-hulbert

[paddybyers]

Please see the comments. I think this still needs some work.

Discussions relating to auth have lots of scope for ambiguity so please use precise language. Every word has one meaning, and every meaning has one word.

@m-hulbert I'll defer to you on whether or not the restructure makes sense wrt the nav.

Someone from the Chat team needs to review the chat parts - having the ::$chat directive in the capability expression I'm sure is wrong (@splindsay-92 )

[paddybyers]

Suggested change

	Set capabilities in a JWT using the `x-ably-capability` claim. No Ably SDK is required—any JWT library will work:
	Set capabilities in a JWT using the `x-ably-capability` claim. No Ably SDK is required - any JWT library will work:

Please no em-dashes

[paddybyers]

Maybe worth just adding
This example uses jsonwebtoken
?

[paddybyers]

This says nothing about why JWT might not be suitable

[paddybyers]

I think this needs to be more explicit. The capabilities of the resulting token are the intersection of the request capabilities, and those of the issuing API key. (This is also true for JWT.)

The requestToken() request will fail if the intersection is empty - ie the token would have no rights.

This should also mention the gotcha: this intersection behaviour means that a call to requestToken() will succeed, but can fail to provide a token with all of the requested capabilities. If the capabilities of the issuing key are not known by the client, then a successful response to requestToken() should be followed by a check that all of the requested capabilities are present.

[paddybyers]

@m-hulbert Are we happy that "TokenRequest authentication" is the appropriate name in these docs for the native token mechanism?

[m-hulbert]

I think the high-level mechanism should be 'Ably Tokens' personally.

[paddybyers]

Note that this does not apply to presence

I thought we support that now - pls check

[paddybyers]

Suggested change

	Note that the machine on which you are running your auth server should have an accurate clock, as tokens and `TokenRequest` contain a timestamp. You can use an [NTP daemon](https://en.wikipedia.org/wiki/Ntpd), or if you are not able to control your server's clock, you can wish to use the `queryTime` [auth option](/docs/api/rest-sdk/types#auth-options).
	Note that the machine on which you are running your auth server should have an accurate clock, as tokens and `TokenRequest` contain a timestamp and have limited validity. You can use an [NTP daemon](https://en.wikipedia.org/wiki/Ntpd), or if you are not able to control your server's clock, you can wish to use the `queryTime` [auth option](/docs/api/rest-sdk/types#auth-options).

[paddybyers]

Please do not use bold like this. Use a heading if appropriate, or just plain text.

I don't understand why these channel claims are relevant to this use-case - can you explain?

[paddybyers]

Why is this relevant to a multi-tenanted system?

[paddybyers]

I think this is incorrect. A resource specifier in a capability expression will match on the channel name without the directive part.

[paddybyers]

Please don't use bold like this.
Please don't use the word "security" like this. There are words that mean the specific thing you're trying to say.

[m-hulbert]

Thanks Umair.

I can see this starting to take shape, but I think we need to make some larger changes, as we've made a long page even longer (and arguably more complicated) - with the actual code to get up and running 40% down the page.

I think we should split up the token authentication page into 3/4 separate ones;

• Overview
  • Covers anything that is true for all forms of token authentication.
  • I think this needs to mention that authentication is handled by the Pub/Sub SDK and what that means for other products.
• JWTs
  • Just info on JWTs with a mention at the top that it's recommended. authCallback used in examples in all languages - authUrl can be further down with associated examples, but most people will use the callback.
  • Note on when you'd use Ably native Tokens instead in the intro.
• Ably Tokens
  • Note at the top that JWTs are recommended and you'd only use Ably Tokens in these circumstances.
  • All info on Ably Token mechanisms. (I'd also include a token embedded in a JWT on this page personally, but defer to @paddy on the popularity of that).
• Token revocation
  • Makes sense to nest this if we create this section.

We've also added a lot of "JWT is recommended" in places, but I feel we should just stick to the points around length of the JWT and its publicly visible claims. If we create a token authentication overview, I feel all we need to state is 'use JWT authentication unless...". And then reiterate that at the top of the JWT and Ably Token pages.

Can we also ensure we have full coverage for all languages whilst we're updating this please?

[m-hulbert]

I feel this is sort of trying to justify the use of JWTs which I'm not sure is strictly necessary if we position it as the recommended approach. Would be curious on other opinions though.

[m-hulbert]

I'm not sure why some of these rows are bold and others aren't.

[m-hulbert]

We don't tend to write 'this page covers'. This should dive straight into what Chat authentication is, and that it's handled by the Pub/Sub SDK.

We also spoke about this replacing the SDK setup page, so I don't think we should be updating that page, and adding this one as it's just splitting the info between two pages. Especially when this page (which should be the go-to for auth) is only showing JS examples.

[m-hulbert]

We seem to have taken the table from the existing setup page and added more rows unnecessarily.

[m-hulbert]

We should be using the variable for a demo key in all code examples please.

[m-hulbert]

Can we ensure links are included inline rather than having 'see X' or 'read more' everywhere please.

[m-hulbert]

I think most of my comments from chat are relevant here.

[m-hulbert]

This is the first point we're mentioning that space is equivalent to a channel. Before now you have no idea or concept of their relationship.

[m-hulbert]

IIRC the channel name is your-space::$space. I'm not 100% if spaces directives are handled in capabilities automatically the same way that chat ones are though.

[m-hulbert]

Also needs React.