Channels And Authorization

Channels organize events and define an authorization boundary within your app.

Channel Types#

Channel names are case-sensitive identifiers. They must start with a supported prefix, include a name after it, contain only letters, numbers, _, -, and :, and be no longer than 80 bytes.

Every channel requires a signed channel token. The prefix communicates the channel's intended behavior; your backend still decides who may access it.

Subscribe Permission#

Grant subscribe to allow a user to join a channel:

edge.auth.signIn({
  channel: "private:user-123",
  permissions: ["subscribe"],
  userId: "user-123",
});

Publish Permission#

Browser publishing is disabled unless the token grants it.

edge.auth.signIn({
  channel: "presence:document-123",
  permissions: [
    "subscribe",
    "publish:typing.started",
    "publish:typing.stopped",
  ],
  userId: "user-123",
});

Publish permissions support exact event names and wildcard patterns:

Prefer the narrowest permission that supports the browser workflow.

Channel Patterns#

A token may authorize additional channels with channelPatterns:

edge.auth.signIn({
  channel: "private:team-123",
  channelPatterns: ["private:team-123:*"],
  permissions: ["subscribe"],
  userId: "user-123",
});

Patterns use * as a wildcard. Keep patterns inside a resource boundary that your backend has already authorized.

Authorize Channels In Your Backend#

Derive channel access from the authenticated user and your application data:

const user = await requireUser(request);
const { channel } = await request.json();

if (channel !== `private:${user.id}`) {
  return Response.json({ error: "Forbidden" }, { status: 403 });
}

Authorize the request using your application's user, team, resource, and membership data.