[FTF-468] Several docs changes to highlight token auth over API key auth, as well as more info on using JWTs

[umair-ably]

Description

Comprehensive overhaul of authentication documentation to help developers choose the right auth method and implement it securely.

Key additions:

• 4 new guides: JWT integration (Auth0/Firebase/Cognito), authentication quick reference, and dedicated Chat/Spaces auth guides
• Token mechanism comparison: New "Choosing a token mechanism" section in /docs/auth/token comparing TokenRequest vs Ably JWT vs Embedded JWT with decision criteria and architectural scenarios
• Security-first messaging: Added explicit warnings about API key exposure to all getting-started guides (React, Swift, Android, etc.)
• MQTT JWT auth: New section documenting JWT authentication for IoT/embedded devices

Changes across 46 files:

• auth/token.mdx: +400 lines covering token selection, JWT-only features, and scenarios (standard apps, existing JWT infra, IoT, serverless, multi-tenant SaaS, rate limiting)
• auth/capabilities.mdx: Added callouts clarifying JWT-only features (channel claims, rate limits)
• chat/setup.mdx, spaces/setup.mdx: Restructured to lead with token auth, added JWT alternative
• All getting-started guides: Replaced ambiguous "use token auth in production" with explicit security warnings
• Navigation: Added new pages to Chat, Spaces, and Pub/Sub nav trees

Why this matters:

• Users frequently misunderstand when to use API keys vs tokens
• JWT integration with existing identity providers (Auth0, Firebase, Cognito) was undocumented
• No clear guidance existed on JWT-only features like channel claims and rate limits
• Getting-started guides implied API keys were acceptable for development without emphasizing the security boundary

Checklist

• Commits have been rebased.
• Linting has been run against the changed file(s).
• The PR adheres to the writing style guide and contribution guide.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[paddybyers]

I've commented on much of this but stopped around half way through. I think it needs significant revision to make JWT the primary recommended route. The narrative and examples all need updating to reflect this.

A lot of this is slop - it's been AI-generated and not critically reviewed.

[paddybyers]

Why are we suggesting authURL instead of callback here? Does it not need at least some comment?

[paddybyers]

Why is this using native tokens, instead of generating a JWT?

[paddybyers]

I'm not convinced this section adds anything. It feels like slop.

[mattheworiordan]

really a duplciate of https://ably-docs-authchanges-py2loc0j.herokuapp.com/docs/auth#selecting-auth. I do thinkg repetition is good at times, but why here?

[paddybyers]

These are not the only things that could go wrong, or even the most likely things that could go wrong.

Error 40103: Token expired

Not according to https://github.com/ably/ably-common/blob/main/protocol/errors.json#L40

If we're going to retain this section we should also refer to:
40160: incorrect capabilities
80019: error in auth callback/url
40171: no means to renew token

Perhaps we should defer adding this section until we've got the more thorough error code documentation landed?

[mattheworiordan]

Why do we need troubleshooting at all? We have error codes and paths. Do we think people are going to read this and pre-empty troubles?

[paddybyers]

I don't agree with this. We recommend JWT in all circumstances that they can be used. There are only two situations where you would use native tokens:

• where the capabilities list is so large that a literal token is unworkable;
• where the capabilities or clientId are sensitive in some way, and there is a desired to keep them confidential, even if inspecting the token.

Of these, I'm not sure we should even mention the second one because it's such an unusual case.

[paddybyers]

This is irrelevant. I suggest removing it.

[paddybyers]

This should refer to identified clients.

[paddybyers]

This is incorrect advice. It should state instead that a client needs to be identified in order to use certain reaction types. It does not imply the use of token auth.

[paddybyers]

I don't understand why this comment is here. Doesn't the chat SDK ensure that a client is always identified?

[mattheworiordan]

Yes it does, this is needless information as they cannot connect without a clientId

[paddybyers]

Again, we should be recommending JWT auth.

[mattheworiordan]

Thanks for submitting. Good to see you take a stab at dealing with the LLM auth issues, but I think this PR needs a lot more human review by yourself before it's sent for others to review. Lots of obvious problems as it appears to have been pumped out directly from an LLM, which is great to move quickly, but thiks is our docs, and is representative of whether we care to customers.

[mattheworiordan]

I am not sure this is what we'd recommend, always sending both tokens instead of just the one you need? Why would a single endpoint be used for Ably and app auth, when both only need one of the two JWTs?

[mattheworiordan]

This URL doesn't match the server example you have above

[mattheworiordan]

This approach is broken in that a new app token cannot be generated as it's cached at the time of login, instead of obtaining one at the time it's needed

[mattheworiordan]

If that's teh case, why are you not specifying a TTL when issuing the token?

[mattheworiordan]

I am not sure we should be just listing out integrations with random providers like this. It doesn't really flow, at the start we're talking about issuing JWTs ,then we are showing random integrations where with this one we're just showing how to issue a token with Lambda, and then we move onto token renewal. It doesn' feel well thought through, why this order?

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Why have you introduced Next Steps? We've not used this in the docs.

[mattheworiordan]

Yes it does, this is needless information as they cannot connect without a clientId

[mattheworiordan]

This is not necessary. If this is needed, the problem of which auth mechanism t use is surely solved?

[umair-ably]

Thanks both @mattheworiordan @paddybyers

I should've made it clear I had not yet reviewed the LLM output, so this at the very least should've been a draft only! I mostly put it up to get a gauge on the kind of content we think we were missing and the placement of it.

However, your comments have massively helped me in understanding the scope of what needs changing in our auth docs, as well as highlighting my limited understanding of exactly what we're trying to tell and recommend to our customers. I've got a session with Mark and Paddy shortly to understand exactly what our position is re: Auth with Ably, what we're trying to tell our customers, and some historical context of how auth has evolved to the point we seem to have deviations in our docs.

I'm trying to solely use LLMs for this, so again, some of these changes are likely subpar as I get a better understanding of the problem later today. For the time-being, I've gone back and forth with Claude to "resolve" (or at least have a stab at resolving) your current comments.

I would ignore this for now until I've had a chance to capture and implement the findings from our meeting later today - this is purely to move the needle and help my own understanding from what you've presented in the comments so far.

Comments on auth/quick-reference.mdx (12 comments)

Comment	Resolved
paddybyers: Why authURL instead of callback?	✅ Added "authUrl vs authCallback" section explaining both
paddybyers: Why native tokens instead of JWT?	✅ Server examples now generate JWTs directly
paddybyers: Security comparison feels like slop	✅ Section removed
paddybyers: Troubleshooting section issues	✅ Section removed
mattheworiordan: Decision matrix unclear	✅ Removed, simplified to code examples
mattheworiordan: Duplicating overview page	✅ Simplified to quick reference focus
mattheworiordan: Server using Realtime not REST	✅ Now uses Ably.Rest server-side
mattheworiordan: getUserIdFromRequest odd name	✅ Now uses req.user?.id (auth middleware pattern)
All troubleshooting/product links comments	✅ These sections removed

Comments on auth/token.mdx (8 comments)

Comment	Resolved
paddybyers: JWT should be primary, not TokenRequest	✅ "Ably JWT is recommended for most use cases"
paddybyers: Serverless in wrong section	✅ Moved to JWT section (stateless)
paddybyers: TokenRequest advantages become disadvantages	✅ Restructured with proper trade-offs
paddybyers: Too much repetition	✅ Cleaned up, table simplified
mattheworiordan: Table values questionable	✅ Table revised with clearer yes/no values

Comments on auth/jwt-integration.mdx (8 comments)

Comment	Resolved
mattheworiordan: Sending both tokens wrong	✅ File simplified, single endpoint approach
mattheworiordan: URL mismatch	✅ Consistent /api/ably-jwt throughout
mattheworiordan: Token caching broken	✅ Now uses proper authCallback pattern
mattheworiordan: No TTL specified	✅ expiresIn: '1h' now included
mattheworiordan: Random provider list	✅ Provider integrations removed
mattheworiordan: getCurrentAppToken confusing	✅ Removed
mattheworiordan: "Next Steps" not used in docs	✅ Section removed

Comments on chat/authentication.mdx (12 comments)

Comment	Resolved
paddybyers: Should recommend JWT	✅ Creates JWTs directly
mattheworiordan: authMethod/authHeaders inconsistent	✅ Examples now consistent using authCallback
mattheworiordan: Send/receive should be separate	✅ Capability table has separate rows
mattheworiordan: Missing annotations/mutations	✅ Table includes annotation-publish, etc.
mattheworiordan: Wrong namespace format	✅ Correct my-room::$chat format
mattheworiordan: "Next Steps" section	✅ Removed

Comments on Chat Room Features (6 comments)

File	Comment	Resolved
rooms/occupancy.mdx	Auth callout irrelevant	✅ Removed
rooms/presence.mdx	Should link to identified-clients	✅ Links to /docs/auth/identified-clients
rooms/reactions.mdx	Should mention identified clients	✅ Now references identified clients
rooms/typing.mdx	Unnecessary auth note	✅ Removed

Comments on chat/setup.mdx (1 comment)

Comment	Resolved
Empty code blocks	✅ All code blocks now have content

Comments on spaces/authentication.mdx & spaces/avatar.mdx (2 comments)

Comment	Resolved
"Next Steps" not used in docs	✅ Removed
Auth note unnecessary in avatar.mdx	✅ Removed

---

Key Changes Made

1. JWT is now the recommended primary auth mechanism throughout all docs
2. Removed unnecessary sections: Security comparison, Troubleshooting, Next Steps, Provider integrations
3. Server examples use REST client instead of Realtime
4. Consistent authCallback examples across all SDKs
5. Accurate capability tables with separate permissions
6. Proper identified client references in Chat features
7. jwt-integration.mdx dramatically simplified from ~430 lines to ~89 lines
8. Fixed empty code blocks in setup.mdx