Scenario

Certain Vivox API calls require authentication to prevent user impersonation. This authentication system consists of objects known as Vivox Access Tokens (VATs).

Resolution

What are Vivox Access Tokens?

Player access to Vivox resources is controlled through Vivox Access Tokens (VATs). Vivox Access Tokens contain a payload that defines the privileged operation, are signed by the game server by using a token signing key, and are delivered by the client to the Vivox system when the player wants to perform a privileged operation. They are similar to JSON web tokens, but the access token header is empty.

Access Token Characteristics

• Tokens can only be used once. When a token has been used for a privileged operation, it cannot be reused, even for the same operation.
• Tokens expire even if they are never used. A token cannot be used after the expiration time that is set by the token issuer.

Privileged Operations

• Signing in
• Joining a channel (whether muted or unmuted)
• Kicking a user from a channel or from the server
• Muting or unmuting a user in a channel, for all other users in the channel
• Enabling or disabling audio transcription (speech-to-text) in a channel

Before you release your game to production, you need to generate your access tokens on a secure server and then vend those access tokens to the game client. Allowing for token generation on the client during production is a security risk and can cause unexpected token expiration errors for your users.

Code Samples

Vivox provides ready-to-use VAT generation code for C++, C#, JavaScript, and Python. For code samples, see Where can I find the Vivox Access Token (VAT) generation code?