An introduction to room access control with Daily API meeting tokens

Overview

One of our most popular customer requests is how to do access control via our API. We’ll leverage the /meeting-tokens endpoints to accomplish this.

Consider the following use case for an online school with the following types of users:

• Administrator - needs admin access to all rooms. They may drop in as needed and make announcements and have control over the various features of the room.
• Teacher - same needs as an administrator but local to their own room.
• Student - needs to be able to join their room to attend classes.

Getting Started

First things first, make sure you have signed up for a Daily.co account and that you have an API key (see your Developers tab).

From there you can use your API key directly on the docs page to execute API calls (see Using these docs), or you can use the terminal utility of your choice and execute them via curl.

A room of your own

Our ultimate goal is to facilitate a video call and that all starts with a room, so let’s create one. As a means of demonstrating our access control features, we’re going to create a room with the following non-default properties:

• "privacy": "private" - since tokens are one of the ways of accessing private rooms
• "owner_only_broadcast": true - this means only owners can turn on camera, mic, and share their screen

This will create a private room where only owners can broadcast.

Run the following curl command to create the room: ‍

curl --request POST \
--url https://api.daily.co/v1/rooms \
--header 'authorization: Bearer INSERT_YOUR_TOKEN_HERE' \
--header 'content-type: application/json' \
--data '{"properties":{"owner_only_broadcast":true},"name":"test-room","privacy":"private"}'

If your request was successful, you should get a response like this: ‍

{"id":"3e1c696b-3dfa-4b20-8d13-153eb25a5bce","name":"test-room","api_created":true,"privacy":"private","url":"https://dailyphil.daily.co/test-room","created_at":"2020-05-12T22:56:22.309Z","config":{"owner_only_broadcast":true}}

Token access

Now let’s consider our tokens in terms of the roles we want to use them for.

Our administrator needs access to every meeting so we will create a token for them with the following properties:

• “is_owner”: true
• “user_name”: “Administrator”

Note the omission of room_name. This will give the user associated with this token access to every meeting on your domain. While we highly recommend that you instead grant specific tokens for each room, we wanted to use this as a demonstration of this domain level access. Additionally, be sure to specify token expiry for every token you create in production.

Run the following curl command to create the token:

curl --request POST \
--url https://api.daily.co/v1/meeting-tokens \
--header 'authorization: Bearer INSERT_YOUR_TOKEN_HERE' \
--header 'content-type: application/json' \
--data '{"properties":{"is_owner":true,"user_name":"Administrator"}}'

If your request was successful, you should get a response like this (token value truncated for security): ‍

{"token":"eyJ..."}

Now we’ll create a similar token for our teacher but we’ll include a room_name to scope it to their particular classroom. In this case the properties are:

• “is_owner”: true
• “user_name”: “Teacher”
• "room_name": "test-room"

‍

curl --request POST \
--url https://api.daily.co/v1/meeting-tokens \
--header 'authorization: Bearer INSERT_YOUR_TOKEN_HERE' \
--header 'content-type: application/json' \
--data '{"properties":{"is_owner":true,"user_name":"Teacher","room_name":"test-room"}}'

Success:

{"token":"eyJ..."}

And finally we'll create a student token, with the following properties:

• “user_name”: “Student”
• "room_name": "test-room"

‍

curl --request POST \
--url https://api.daily.co/v1/meeting-tokens \
--header 'authorization: Bearer INSERT_YOUR_TOKEN_HERE' \
--header 'content-type: application/json' \
--data '{"properties":{"user_name":"Student","room_name":"test-room"}}'

Success: ‍

{"token":"eyJ..."}

Time for a test

The easiest way to test our various tokens is to add the t=INSERT_TOKEN query parameter to your meeting link.

The meeting link will look like this:

https://dailyphil.daily.co/test-room?t=INSERT_TOKEN_HERE

Functionally speaking, the administrator and teacher links should work identically. The student link will be different. Because we turned on owner_only_broadcast, the student link will have camera and microphone turned off and no option to turn them on.

Summary

You should now understand the basics of creating tokens with different access controls. For a full picture of meeting management for rooms and tokens, combine what your learned today with our post on time limits.