Authentication

Vonage APIs support different authentication methods depending on which product you are using:

API	API Key and Secret (Query String)	API Key and Secret (Header)	JSON Web Token (JWT)
Accounts
Application
Audit
Conversation
Conversion
Device Location Retrieval
Dispatch
Media
Meetings
Messages¹
Network APIs²
Numbers
Number Insight
Number Insight V2
Programmable SIP
Redact
Reports
SMS
Verify (Legacy)
Verify³
Voice⁴
Video

¹ Messages supports both JWT and Basic authentication, however basic authentication does not support webhooks or advanced features such as ACLs. For most use-cases we recommend JWT Authentication. See Messages API Authentication

² The JWT token generated serves as a bridge for generating a CAMARA access token, needed to access the Network APIs. The workflow varies based on whether the authentication is initiated from the frontend or the backend. Visit the Network API authentication guide to learn more.

³ Verify supports both JWT and Basic authentication, however basic authentication does not support webhooks or advanced features such as ACLs.

⁴ SIP Trunking uses Digest Authentication method with the API Key as user and API Secret as password.

In this document you can learn about authentication via the following means:

API Key and Secret

When you create a Vonage account, an API key and secret will be created for you. These are located in your account settings in the Vonage Dashboard. You should always keep these secure and never share these details: be careful when adding it to your codebase to make sure they are not shared with anyone who may use it maliciously. If you use message signatures, these are generated using the SIGNATURE_SECRET rather than the API_SECRET; both values can be found in your account settings.

Note: The secret should always be kept secure and never shared. Be careful when adding it to your codebase to make sure it is not shared with anyone who may use it maliciously. Read more about the Best Security Practices for your Vonage Account.

Vonage APIs may require your API Key and Secret in a number of different ways.

Request Body

For POST requests to the SMS API, your API key and secret should be sent as part of the body of the request in the JSON object.

Query String

Your API key and secret should be included in the query parameters of requests you make to the Conversion, Number Insight or Developer API. The parameters are called API_KEY and API_SECRET respectively.

An example of authentication query parameters would be as follows:

?api_key=VONAGE_API_KEY&api_secret=VONAGE_API_SECRET

The request may also need other query parameters and these can be added in any order.

Basic Authentication

A number of newer Vonage APIs require authentication to be done using an API key and secret sent Base64 encoded in the Authorization header.

For these APIs, you send your API key and secret in the following way:

Authorization: Basic base64(API_KEY:API_SECRET)

If your API key were aaa012 and your API secret were abc123456789, you would concatenate the key and secret with a : (colon) symbol and then encode them using Base64 encoding to produce a value like this:

Authorization: Basic YWFhMDEyOmFiYzEyMzQ1Njc4OQ==

A website for generating Base64 encoded strings can be found here:

General: Base64 Encode and Decode

Details on how to encode Base64 strings in a variety of programming languages can be found at the following websites:

C#/.NET: How do I encode and decode a Base64 string? from StackOverflow
Go: Base64 Encoding from Go By Example
Java: Base64
JavaScript: Base64 encoding and decoding from MDN web docs
PHP: base64_encode
Python: Base64
Ruby: Base64
Swift: Base64 Encode and Decode in Swift from iOS Developer Tips

Secret Rotation

It is possible to have two API secrets to be used against one API key at the same time. This way you can create a second API secret and test it before revoking the existing API secret in your production network. The API secret rotation procedure consists of the following steps:

Create a second API secret in your account settings or by using the secret rotation API.
Update one or more of your servers to use the newly created API secret for making calls to Vonage APIs
Test that there are no connectivity issues and roll out the API secret update across the remaining servers
Delete the replaced API secret

JSON Web Tokens

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. For a full list of the APIs that use JWTs, please see the table above.

Header and Payload

JWTs consist of a Header and a Payload. The values for the Header are:

Name	Description	Required
`alg`	The encryption algorithm used to generate the JWT. `RS256` is supported.
`typ`	The token structure. Set to `JWT`.

The values for the payload claim are:

Name	Description	Required
`application_id`	The unique ID allocated to your application by Vonage.
`iat`	The UNIX timestamp at UTC + 0 indicating the moment the JWT was requested.
`jti`	A unique string identifier of the JWT.
`nbf`	The UNIX timestamp at UTC + 0 indicating the moment the JWT became valid.
`exp`	The UNIX timestamp at UTC + 0 indicating the moment the JWT is no longer valid. A minimum value of 30 seconds from the time the JWT is generated. A maximum value of 24 hours from the time the JWT is generated. A default value of 15 minutes from the time the JWT is generated.

Generating JWTs

Using the Vonage API online tool to generate a JWT

You can generate a JWT using our online tool.

Using the Vonage CLI to generate JWTs

The Vonage CLI provides a command for generating a JWT. The general syntax is:

vonage jwt <HttpMethodLabel method="options" />

An example of generating a JWT for an application is as follows:

vonage jwt --key_file=path/to/private.key --app_id=asdasdas-asdd-2344-2344-asdasdasd345

The private key in question is generated and stored in the current directory where you created your app using the CLI. It will have the same name as your application. You can also find it in the generated vonage_app.json file.

Further information on the Vonage CLI can be found in its repository on GitHub.

Examples of using the Vonage libraries to generate JWTs can be found below. If you are not using a Vonage library you should refer to RFC 7519 to implement JWTs.

Vonage Client SDKs

The Vonage Client SDKs use JWTs for authentication when a user logs in. These JWTs are generated using the application ID and private key that is provided when a new application is created.

Claims

Using that private.key and the application ID, you can mint a new JWT. In order to log a user into a Vonage client, the JWT will need the following claims:

Claim	Description
`sub`	The "subject". The subject, in this case, will be the name of the user created and associated with your Vonage Application.
`acl`	Access control list. The Client SDK uses this as a permission system for users. Read more about it in the ACL overview.
`application_id`	This is the ID of the Vonage Application you created.
`iat`	"Issued at time" This is the time the JWT was issued, in unix epoch time.
`jti`	"JWT ID". This is a unique string identifier for this JWT.
`exp`	"Expiration time" This is the time in the future that the JWT will expire, in unix epoch time.

The exp claim is optional. If the claim is not provided, then the JWT will expire by default in 15 minutes. The max expiration time for a JWT is 24 hours. JWTs should typically be short-lived, as it is trivial to create a new JWT and some JWTs can have multiple far-reaching permissions.

Sample JWT Payload

Once all the claims have been provided, the resulting claims should appear like so:

{
  "iat": 1532093588,
  "jti": "705b6f50-8c21-11e8-9bcb-595326422d60",
  "sub": "alice",
  "exp": "1532179987",
  "acl": {
    "paths": {
      "/*/rtc/**": {},
      "/*/users/**": {},
      "/*/conversations/**": {},
      "/*/sessions/**": {},
      "/*/devices/**": {},
      "/*/image/**": {},
      "/*/media/**": {},
      "/*/knocking/**": {},
      "/*/legs/**": {}
    }
  },
  "application_id": "aaaaaaaa-bbbb-cccc-dddd-0123456789ab"
}

Access Control List (ACL)

In the sample JWT request payload above, notice how the acl claim has a paths object. The path object contains a list of endpoints that correspond to certain permissions a user has when using the Client SDK.

Below is the list of endpoints you can grant a user access to:

Endpoint	Description	Required for
`//rtc/*`	Create signalling session to receive events and send metrics	In-app calls/message
`//sessions/*`	Log in as a user	In-app calls/messages
`//users/*`	Getting user conversations, user sessions and user object	In-app calls/messages
`//conversations/*`	Create and manage conversations & send/receive messages	In-app calls/messages
`//image/*`	Send and receive images	In-app messages
`//media/*`	Manage images	In-app messages
`//knocking/*`	Start phone calls	In-app calls
`//devices/*`	Register device to receive push notifications	In-app calls/messages
`//legs/*`	Create and manage legs in a conversation	In-app calls

You should provide the user you are generating with permissions to access only the relevant paths. For instance, if a user is not going to send images, you can create a JWT without including the /*/image/**or /*/media/** paths, similarly, you can grant a user permission by adding the required path.

To illustrate, if you add the /*/conversations/** path, the user will be able to create and manage conversations. Also, if this is the only ACL set, the user will only have access to the /conversations endpoint.

Granular ACL

Above, we looked at how to grant users access to endpoints. You may also limit or grant access based on sub-paths and HTTP methods.

Here is an example:

... "acl": { "paths": { "/path_1/*/path_2": {}, "/path/**": {"methods”: ["GET", "POST"]}, "/path/**": {"methods”: []} }}

( ...:snippet is truncated )

The above ACL translates to the following permissions:

"/path_1/*/path_2": {}: Allows access to the path /path_1/*/path_2 where * can be any sub-path. For example, /path_1/ABC/path_2 and /path_1/XYZ/path_2 will both be accessible.
"/path/**": {"methods”: ["GET", "POST"]}: Allows only GET and POST calls through when accessing /path/ and any sub-path that come after that. For example, /path/sub_1/sub_2/sub_3 will still be accessible.
"/path/**": {"methods”: []}: Calls made when using any HTTP method to endpoints starting with /path will not be accessible. For example, /path, /path/sub_1/, /path/sub_1/sub_2, and /path/sub_1/sub_2/sub_3 will all not be accessible.

Note: Setting the ACL based on sub-paths and HTTP methods also affect Client SDK methods/functions that depend on them.

Generating JWTs using the Vonage CLI

The Server SDKs contain methods for generating JWT tokens. You may however use the Vonage CLI to do this as well. This is particularly helpful during testing.

vonage jwt \--app_id=APPLICATION_ID \--subject=MY_USER_NAME \--key_file=PRIVATE_KEY \--acl='{"paths":{"/*/rtc/**":{},"/*/users/**":{},"/*/conversations/**":{},"/*/sessions/**":{},"/*/devices/**":{},"/*/image/**":{},"/*/media/**":{},"/*/applications/**":{},"/*/push/**":{},"/*/knocking/**":{},"/*/legs/**":{}}}'

Using the Server SDKs

It is expected that the accompanying server for your Vonage application will generate JWTs for the Client SDK. Here are some examples using the Vonage Server SDKs:

Version 3 of the Vonage Node Server SDK includes a package for generating JWT tokens. It can also generate a JWT using the appropriate claims.

const { tokenGenerate } = require('@vonage/jwt');

const privateKey = readFileSync('path/to/private.key');

const aclPaths = {
  "paths": {
    "/*/rtc/**": {},
    "/*/users/**": {},
    "/*/conversations/**": {},
    "/*/sessions/**": {},
    "/*/devices/**": {},
    "/*/image/**": {},
    "/*/media/**": {},
    "/*/knocking/**": {},
    "/*/legs/**": {}
  }
}

const token = tokenGenerate("aaaaaaaa-bbbb-cccc-dddd-0123456789ab", privateKey, {
      //expire in 24 hours
      exp: Math.round(new Date().getTime()/1000)+86400,
      sub: "alice",
      acl: aclPaths,
    });

The Vonage JWT JDK library can be used to generate a signed JWT with claims.

val token : String = Jwt.builder()
    .applicationId("aaaaaaaa-bbbb-cccc-dddd-0123456789ab")
    .privateKeyPath("/path/to/private.key")
    .issuedAt(ZonedDateTime.now())
    .subject("alice")
    .addClaim("acl", mapOf(
        "paths" to mapOf(
            "/*/rtc/**" to mapOf(),
            "/*/users/**" to mapOf<String, Any>(),
            "/*/conversations/**" to mapOf(),
            "/*/sessions/**" to mapOf(),
            "/*/devices/**" to mapOf(),
            "/*/image/**" to mapOf(),
            "/*/media/**" to mapOf(),
            "/*/knocking/**" to mapOf(),
            "/*/legs/**" to mapOf()
        )
    ))
    .build()
    .generate()

The Vonage JWT JDK library can be used to generate a signed JWT with claims.

String token = Jwt.builder()
    .applicationId("aaaaaaaa-bbbb-cccc-dddd-0123456789ab")
    .privateKeyPath(Paths.get("/path/to/private.key"))
    .subject("alice")
    .issuedAt(ZonedDateTime.now())
    .expiresAt(ZonedDateTime.now().plusMinutes(20))
    .addClaim("acl", Map.of(
        "paths", Map.of(
            "/*/users/**", Map.of(),
            "/*/conversations/**", Map.of(),
            "/*/sessions/**", Map.of(),
            "/*/devices/**", Map.of(),
            "/*/image/**", Map.of(),
            "/*/media/**", Map.of(),
            "/*/applications/**", Map.of(),
            "/*/push/**", Map.of(),
            "/*/knocking/**", Map.of(),
            "/*/legs/**", Map.of()
        )
    ))
    .build()
    .generate();

The Vonage .NET SDK can be used to generate a signed JWT with claims.

As an example, let's assume we want to add the following claims in the JWT:

var payload = new Dictionary<string, object>
{
    {"sub", "alice"},
    {"exp", DateTimeOffset.UtcNow.AddDays(1).ToUnixTimeSeconds().ToString()},
    {
        "acl", new Dictionary<string, object>
        {
            ["paths"] = new Dictionary<string, object>
            {
                ["/*/users/**"] = new { },
            },
        }
    },
};

There are several ways to generate a JWT.

You can either use the static method CreateToken on the Jwt class:

var credentials = Credentials.FromAppIdAndPrivateKeyPath(VONAGE_APPLICATION_ID, VONAGE_APPLICATION_PRIVATE_KEY_PATH);
var token = Jwt.CreateToken(credentials.ApplicationId, credentials.ApplicationKey, payload);

Or use the method GenerateToken on a Jwt instance:

// Using the credentials instance
var result = tokenGenerator.GenerateToken(credentials, payload);

// Using ApplicationId and ApplicationKey values
var result = tokenGenerator.GenerateToken(credentials.ApplicationId, credentials.ApplicationKey, payload);

The current version of the Vonage PHP Server SDK can also create a JWT including the appropriate claims when using the Keypair authentication.

$keypair = new \Vonage\Client\Credentials\Keypair(
    file_get_contents('/path/to/private.key'),
    'aaaaaaaa-bbbb-cccc-dddd-0123456789ab'
);
$client = new \Vonage\Client($keypair);

$claims = [
    'acl' => [
        'paths' => [
            '/*/rtc/**' => (object) [],
            '/*/users/**' => (object) [],
            '/*/conversations/**' => (object) [],
            '/*/sessions/**' => (object) [],
            '/*/devices/**' => (object) [],
            '/*/image/**' => (object) [],
            '/*/media/**' => (object) [],
            '/*/knocking/**' => (object) [],
            '/*/legs/**' => (object) [],
        ]
    ]
];
$token = $client->generateJwt($claims);
$tokenString = $token->toString();

The Vonage Python JWT library can be used to generate a signed JWT with default or custom claims.

from vonage_jwt import JwtClient

jwt_client = JwtClient(application_id, private_key)

# The `claims` field is optional and can be omitted as defaults are set
claims = {'jti': 'test_jti', 'nbf': now + 100}
vonage_jwt = jwt_client.generate_application_jwt(claims)

If you are not using a Vonage library you should refer to RFC 7519 to implement JWT. JWT.io has a selection of libraries for generating JWTs in multiple languages.