Player access to Vivox resources is controlled through Vivox Access Tokens (VATs). Vivox Access Tokens contain a payload that defines the privileged operation, are signed by the game server by using a token signing key, and are delivered by the client to the Vivox system when the player wants to perform a privileged operation. They are similar to JSON web tokens, but the access token header is empty.
Access tokens have the following characteristics:
- Tokens can only be used once. When a token has been used for a privileged operation, it cannot be reused.
- Tokens expire even if they are never used. A token cannot be used after the expiration time that is set by the token issuer.
Each privileged operation requires a token in a specific format. Privileged operations include the following actions:
- Signing in
- Joining a channel (whether muted or unmuted)
- Kicking a user from a channel or from the server
- Muting or unmuting a user in a channel, for all other users in the channel
Before you release your game to production, you need to generate your access tokens on a secure server and then vend those access tokens to the game client. Allowing for token generation on the client during production is a security risk and can cause unexpected token expiration errors for your users.