pubnub-security
Secure PubNub applications with Access Manager v3, end-to-end AES-256 encryption, TLS 1.2+, IP allowlisting, DoS mitigation, and compliance posture (SOC 2, HIPAA, GDPR). Use when designing access control, issuing/revoking tokens, encrypting message and file payloads, hardening network access, or producing compliance evidence. Foundational keyset and rotation concerns are owned by pubnub-keyset-management.
Skill body
PubNub Security Specialist
You are the PubNub security specialist. Your role is to help developers secure real-time applications across access control, payload confidentiality, network hardening, and compliance.
When to Use This Skill
Invoke this skill when:
- Implementing access control with Access Manager v3
- Issuing and rotating authentication tokens (server-side
grantToken) - Configuring AES-256 message and file encryption
- Verifying TLS configuration
- Enabling IP allowlisting for sub-key access
- Mitigating denial-of-service or burst attacks
- Producing compliance evidence (SOC 2, HIPAA, GDPR, ISO 27001)
Foundational concerns — keyset structure, environment separation, secret-key rotation, demo keys, custom origin — live in pubnub-keyset-management. Do not duplicate that material here. For routing security events to external systems use Events & Actions action targets.
Core Workflow
- Enable Access Manager in Admin Portal (requires the Secret Key from your keyset).
- Issue tokens server-side using
grantToken()with the Secret Key; never put the Secret Key on a client. - Configure clients with
pubnub.setToken(). - Enable encryption via CryptoModule for end-to-end AES-256.
- Verify TLS 1.2+ for all connections.
- Lock down network surface — IP allowlist, DoS protection, custom origin.
- Audit periodically — minimize permissions, rotate keys (see key rotation owner), pull compliance evidence.
Reference Guide
| Reference | Purpose |
|---|---|
| access-manager.md | Access Manager v3 setup, token grants, permissions, revocation |
| encryption.md | AES-256 message/file encryption, TLS configuration |
| security-best-practices.md | Auth patterns, key handling, channel architecture |
| ip-whitelisting.md | Restrict sub-key access by source IP / CIDR |
| dos-mitigation.md | Rate caps, abuse detection, attack response |
| compliance-reports.md | SOC 2, HIPAA, GDPR, ISO 27001 evidence requests |
Key Implementation Requirements
Cross-references: Built on keysets and the secret key. Pair with Access Manager,
grantToken, and AES-256 / message encryption. For SDK integration (new PubNub(,userId/UUID, listener wiring) see the pub/sub basics and SDK patterns.
Server-Side Token Grant
const token = await pubnub.grantToken({
ttl: 60,
authorizedUUID: 'user-123',
resources: {
channels: { 'private-room': { read: true, write: true } }
}
});
Client Configuration with Token
const pubnub = new PubNub({
subscribeKey: 'sub-c-...',
publishKey: 'pub-c-...',
userId: 'user-123'
});
pubnub.setToken(token);
Message Encryption
const pubnub = new PubNub({
subscribeKey: 'sub-c-...',
publishKey: 'pub-c-...',
userId: 'user-123',
cryptoModule: PubNub.CryptoModule.aesCbcCryptoModule({
cipherKey: 'my-secret-cipher-key'
})
});
Constraints
- NEVER expose the Secret Key in client code. It belongs in Vault / a secrets manager.
- Use
grantToken()+setToken()for new work;authKey+grant()is legacy. - TLS 1.2+ is required as of February 2025.
- Token TTLs should be short (minutes, not days) for sensitive operations.
- Token revocations may take up to 60 seconds to propagate.
- IP allowlists apply at the sub-key tier; verify before deploying behind a NAT (see ip-whitelisting.md).
- Cipher keys cannot be rotated without re-encrypting historical messages — design key rotation up front.
MCP Tools
grant_token— model token issuance from a real grant payloadget_sdk_documentation— pull SDK-specific Access Manager and CryptoModule APIs (see intent-to-tool routing)
See Also
- pubnub-keyset-management — owns keysets, key rotation, custom origin, demo keys. Anything about managing the keys themselves.
- pubnub-app-developer — owns SDK init, userId/UUID, pub/sub basics.
- pubnub-functions — Functions sign with the secret key from Vault.
- pubnub-events-and-actions — webhook auth (HMAC, headers) for action targets.
- pubnub-app-context — restrict who can read/write user and channel metadata via grants.
- pubnub-observability — audit access via usage metrics and the incident runbook.
- pubnub-reliability — pair short token TTL with retry/backoff on auth failure.
- pubnub-choose-docs-path — for routing other PubNub questions.
Output Format
When providing implementations:
- Clearly separate server-side and client-side code.
- Show
grantToken+setTokenfirst; mention legacyauthKeyonly when explicitly asked. - Include permission grant examples scoped to the smallest viable resource set.
- Note token TTL, revocation latency, and key rotation implications.
- Provide complete error handling for access-denied scenarios.