Sendbird API Token Security Guide

To call the platform API, you need a token from the Sendbird App. Here's how to keep it safe and reissue it when necessary.

There are two types of API tokens in Sendbird: "master token" and "secondary token”. A master token can be used to issue and delete secondary tokens, but cannot be modified. You can find the token information in Settings > Application > General > API tokens.

To view the image in full screen, click on the

In order to enhance token security, it is recommended to consider the following sections:

Consider industry best practice then issuing and storing API tokens. Generally, it should be stored in an environment variable or secret storage and should not be hard-coded in the source code. Additionally, never make Platform API calls directly from a client front end in production. Always use a proxy server in the middle in order to not expose your Sendbird API token.

Tokens should be rotated periodically to minimize the risk of compromise that may occur from long-term exposure. Periodic rotation of tokens can also be automated using a master token. Additionally, tokens that are no longer used must be destroyed immediately.