Xano Documentation
  • 👋Welcome to Xano!
  • 🌟Frequently Asked Questions
  • 🔐Security & Compliance (Trust Center)
  • 🙏Feature Requests
  • 💔Known Issues
  • Before You Begin
    • Using These Docs
    • Where should I start?
    • Set Up a Free Xano Account
    • Key Concepts
    • The Development Life Cycle
    • Navigating Xano
    • Plans & Pricing
  • The Database
    • Designing your Database
    • Database Basics
      • Using the Xano Database
      • Field Types
      • Relationships
      • Database Views
      • Export and Sharing
      • Data Sources
    • Migrating your Data
      • Airtable to Xano
      • Supabase to Xano
      • CSV Import & Export
    • Database Performance and Maintenance
      • Storage
      • Indexing
      • Maintenance
      • Schema Versioning
  • 🛠️The Function Stack
    • Building with Visual Development
      • APIs
        • Swagger (OpenAPI Documentation)
      • Custom Functions
        • Async Functions
      • Background Tasks
      • Triggers
      • Middleware
      • Configuring Expressions
      • Working with Data
    • Functions
      • AI Tools
      • Database Requests
        • Query All Records
          • External Filtering Examples
        • Get Record
        • Add Record
        • Edit Record
        • Add or Edit Record
        • Patch Record
        • Delete Record
        • Bulk Operations
        • Database Transaction
        • External Database Query
        • Direct Database Query
        • Get Database Schema
      • Data Manipulation
        • Create Variable
        • Update Variable
        • Conditional
        • Switch
        • Loops
        • Math
        • Arrays
        • Objects
        • Text
      • Security
      • APIs & Lambdas
        • Realtime Functions
        • External API Request
        • Lambda Functions
      • Data Caching (Redis)
      • Custom Functions
      • Utility Functions
      • File Storage
      • Cloud Services
    • Filters
      • Manipulation
      • Math
      • Timestamp
      • Text
      • Array
      • Transform
      • Conversion
      • Comparison
      • Security
    • Data Types
      • Text
      • Expression
      • Array
      • Object
      • Integer
      • Decimal
      • Boolean
      • Timestamp
      • Null
    • Environment Variables
    • Additional Features
      • Response Caching
  • Testing and Debugging
    • Testing and Debugging Function Stacks
    • Unit Tests
    • Test Suites
  • CI/CD
  • File Storage
    • File Storage in Xano
    • Private File Storage
  • Realtime
    • Realtime in Xano
    • Channel Permissions
    • Realtime in Webflow
  • Maintenance, Monitoring, and Logging
    • Statement Explorer
    • Request History
    • Instance Dashboard
      • Memory Usage
  • Building Backend Features
    • User Authentication & User Data
      • Separating User Data
      • Restricting Access (RBAC)
      • OAuth (SSO)
    • Webhooks
    • Messaging
    • Emails
    • Custom Report Generation
    • Fuzzy Search
    • Chatbots
  • Xano Features
    • Snippets
    • Instance Settings
      • Release Track Preferences
      • Static IP (Outgoing)
      • Change Server Region
      • Direct Database Connector
      • Backup and Restore
      • Security Policy
    • Advanced Back-end Features
      • Xano Link
      • Developer API (Deprecated)
    • Metadata API
      • Master Metadata API
      • Tables and Schema
      • Content
      • Search
      • File
      • Request History
      • Workspace Import and Export
      • Token Scopes Reference
  • Xano AI
    • Building a Backend Using AI
    • Get Started Assistant
    • AI Database Assistant
    • AI Lambda Assistant
    • AI SQL Assistant
    • API Request Assistant
    • Template Engine
    • Streaming APIs
  • AI Tools
    • MCP Servers
      • Connecting Clients
      • MCP Functions
  • Xano Transform
    • Using Xano Transform
  • Xano Actions
    • What are Actions?
    • Browse Actions
  • Team Collaboration
    • Realtime Collaboration
    • Managing Team Members
    • Branching & Merging
    • Role-based Access Control (RBAC)
  • Agencies
    • Xano for Agencies
    • Agency Features
      • Agency Dashboard
      • Client Invite
      • Transfer Ownership
      • Agency Profile
      • Commission
      • Private Marketplace
  • Enterprise
    • Xano for Enterprise
    • Enterprise Features
      • Microservices
      • Tenant Center
      • Compliance Center
      • Security Policy
      • Instance Activity
      • Deployment
      • RBAC (Role-based Access Control)
      • Xano Link
  • Your Xano Account
    • Account Page
    • Billing
    • Referrals & Commissions
  • Troubleshooting & Support
    • Error Reference
    • Troubleshooting Performance
      • When a single workflow feels slow
      • When everything feels slow
      • RAM Usage
      • Function Stack Performance
    • Getting Help
      • Granting Access
      • Community Code of Conduct
      • Community Content Modification Policy
  • Special Pricing
    • Students & Education
    • Non-Profits
  • Security
    • Best Practices
Powered by GitBook
On this page
  • Permissions
  • Anonymous Clients
  • Presence
  • Client Public Messaging
  • Authenticated Only (Client Public Messaging)
  • Client Authenticated Messaging
  • Client Private Messaging
  • Authenticated Only (Client Private Messaging)
  • Applying Permissions
  • Permission Examples

Was this helpful?

  1. Realtime

Channel Permissions

Last updated 3 months ago

Was this helpful?

Channels are opened with your front-end's implementation of Realtime.

const marvelChannel = this.xanoClient.channel("marvel-chat-room");

Each channel needs to have permissions defined to ensure that they behave in the way that you expect and remain secure. On this page, we'll go over the various permission settings available and show you how to apply them.

Securing your Realtime channels is a multi-step process, and is not always solely reliant on the channel permissions you set. This includes:

  • Setting the proper channel permissions for your use case

  • Using nested channels to separate data

  • Using to act as a primary or secondary measure to block messages from being sent to the channel

  • Generating separate authentication tokens for connecting to the realtime server

  • Obfuscating the implementation on your front-end, and ensuring that channel creation is handled properly

Permissions

Anonymous Clients

Anonymous Clients means that you allow unauthenticated users to connect to your channels, but they can not send messages.

Presence

Every client connected to this channel will receive a the list of all the other clients (including yourself). Note that authenticated client details will be augmented with the extra information stored in their JWT token.

Client Public Messaging

This option allows authenticated and unauthenticated clients to send messages to the channel. These messages will be sent to all the users connected to the channel.

Authenticated Only (Client Public Messaging)

Similar to Client Public Messaging, this permission allows only authenticated users to send messages to the channel. Unauthenticated clients can still see the messages being sent to the channel.

Client Authenticated Messaging

Every message sent to the channel by authenticated clients will only broadcasted to all other authenticated clients. This means that anyone can connect to that channel, but only authenticated client will receive messages broadcasted by the channel. Anonymous client will not receive any messages.

Client Private Messaging

This enables clients to send messages directly to other clients without requiring authentication as long as both clients are present in the channel.

Authenticated Only (Client Private Messaging)

This permission enables client private messaging only between authenticated clients. Unauthenticated clients can not send private messages.

It's important to note that some of these permissions may appear to have logical dependencies, but they do not. For example, if you enable Client Public Messaging, this implies that Anonymous Clients is also enabled.

Applying Permissions

From the Realtime Settings panel, click the icon shown below to define channel permissions.

On the next panel that opens, fill in the options shown.

Channel Status

Defines whether or not these channel permissions are utilized

Channel Target

This is essentially the name of the channel you are creating permissions for. Channel names can be dynamic to support creation of new channels from your front-end by enabling the nested channels option. Using nested channels along with a name like "chatroom/*" will allow you to create channels that begin with "chatroom/" and anything else afterwards, such as a unique channel identifier. If you do not enable nested channels, the permissions will just apply to the channel name you specify.

Description

Give your permission layout a description for organizational purposes, if you wish.

Permissions

Using the list of permissions on this page, determine the correct set of permissions to apply to any channels that match the name pattern.

Channel Triggers

Triggers are function stacks that can run when messages or events are sent to the channel(s) impacted by these permissions. You need to first save your changes to enable adding triggers when creating new permissions.

Permission Examples

Please note that Presence is usually optional no matter the scenario and is just based on if you want to utilize presence updates in your realtime channels.

Context
Permissions

A chat application where users can both connect and send messages anonymously

A chat application where users can connect anonymously, but authentication is required to send messages

A chat application that only allows authenticated users to connect and send messages

A chat application that only allows authenticated users to connect, and allows direct client-client private messaging for authenticated users

For more information about Realtime Triggers, see of our documentation.

A notification system that allows for unauthenticated users to connect so they can receive notifications, but sending messages is not allowed. You would send notifications to this type of channel through the function.

Realtime Triggers
this section
Realtime Event