How to "add" more grants to an existing Access Token?

My application (serverless node/react) uses Sync to coordinate the acceptance of participants in a given room. And I'm using a Sync Access Token. I would like to later add the Video grant (if allowed) to the same Access Token. The problem I have is that I don't see any way to create the Sync token from a string (stored as a cookie) and than add the Video grant. Is that possible?

Best Answer

  • pnash
    pnash mod
    Accepted Answer

    Hey @educobuci. Interesting question!

    Access tokens are signed JWTs. If you look at the token you will see it is a string made up of three parts separated by two periods: header.body.signature. The header and body sections are base64-url encoded JSON strings and the signature is then made up by taking the encoded header, encoded body, a secret (your API Secret) and hashed using SHA256. You can read about this process for Twilio tokens in the documentation here or a generic description of how JWTs work here.

    What this means is, given a JWT, you could verify the signature using your API secret, then decode the body into a JavaScript object, add a Video grant to that object, stringify the object, then base64-url encode it again and then sign the new token with your API secret again. If you do this, you will see that the header of the JWT will remain the same as the original token you created, but the body and the signature will have changed. Updating a token like that technically would break some of the claims in the body though. One of the claims is iat, meaning "issued at", but since you issued the token, then updated it, it is now slightly wrong. You also have an exp header on a Twilio JWT, which sets the time the token expires. This won't change either if you just add a grant.

    However, I don't necessarily think that updating and resigning a token is that helpful. Even though several aspects of the new token are unchanged from the old one, you still end up with two different tokens. The old Sync-only token is still valid to use for Sync and the new token can be used for both Sync and Video. So, rather than go to the trouble of decoding an existing token, I would recommend just creating a new token that has both grants.

    Or, you could just create a Video-only token that your user can use to connect to a Video room while they continue to use the Sync token for the Sync service.

    All in all, I don't think you gain anything from updating a token (especially as it effectively creates a new token anyway) and you would be better served considering creating a new joint token, or just creating tokens for Video when you need them.


Sign In or Register to comment.