How should Vivox Access Tokens (VATs) be generated securely for a production title? This article is for game developers moving Vivox from development to production. It covers the security risks of client-side VAT generation, which credentials must remain server-side, how to handle VAT generation in applications without a dedicated server, and a common source of token claim mismatch errors.

Note: If you are using the Vivox Unity SDK, Unity Authentication tokens are the recommended way to manage players when channel access control is not required rather than Vivox Access Tokens. If you are using the Vivox Core SDK, Vivox Unreal SDK, or special admin functions (muting a user for all other participants or kicking a user from a channel or server), Vivox Access Tokens are still required.

Scenario

Before you release your game to production, it is highly recommended to generate your Vivox Access Tokens (VATs) on a secure server and then deliver those access tokens to the game client. Allowing VAT generation on your client during production is a security risk and can cause unexpected errors for your users.

Security Risks

The server URL, domain, and issuer can be present in client code, however, the token signing key should not be distributed to or stored on the client. Anyone who obtains the signing key can generate valid VATs for any user or channel, which enables impersonation and unauthorized access.

Token Expiration

Users can experience 20121 (Access Token Expired) errors despite tokens being freshly generated. This can be caused by clock skew between the client device and the Vivox server. A small tolerance of a few seconds is expected; a mismatch of several minutes is not.

Resolution

The following sections provide implementation options for server-side VAT generation and address a common issue encountered during setup. Choose the section that matches your server architecture.

Applications With a Dedicated Server

Vivox provides ready-to-use VAT generation code for C++, C#, JavaScript, and Python. For direct links to the code samples, go to Where can I find the Vivox Access Token (VAT) Developer Guide for my SDK? and choose your Vivox version.

Applications Without a Dedicated Server

If your application does not operate a dedicated control server, Unity Cloud Code can provide a simple alternative for VAT vending. Unity provides a example Vivox token vending module for Cloud Code. You deploy the module to a managed Cloud Code endpoint, configure your credentials, and clients request tokens from that endpoint. No server infrastructure is required.

Common Remote Generation Issue

The token claims f (from), t (to), and sub (subject) require SIP URI values specific to each user and channel. Constructing these values manually on the server is a common source of token claim mismatch errors. The recommended approach is to retrieve the SIP URI strings from the SDK objects on the client and pass them to your server when requesting a token.

For the correct method of obtaining these values per SDK type, see How to access SIP URIs for Vivox Access Token generation.

Related to