| <!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Client Authentication using tokens · Apache Pulsar</title><meta name="viewport" content="width=device-width, initial-scale=1.0"/><meta name="generator" content="Docusaurus"/><meta name="description" content="## Token Authentication Overview"/><meta name="docsearch:version" content="2.8.2"/><meta name="docsearch:language" content="en"/><meta property="og:title" content="Client Authentication using tokens · Apache Pulsar"/><meta property="og:type" content="website"/><meta property="og:url" content="https://pulsar.apache.org/"/><meta property="og:description" content="## Token Authentication Overview"/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://pulsar.apache.org/img/pulsar.svg"/><link rel="shortcut icon" href="/img/pulsar.ico"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/atom-one-dark.min.css"/><link rel="alternate" type="application/atom+xml" href="https://pulsar.apache.org/blog/atom.xml" title="Apache Pulsar Blog ATOM Feed"/><link rel="alternate" type="application/rss+xml" href="https://pulsar.apache.org/blog/feed.xml" title="Apache Pulsar Blog RSS Feed"/><link rel="stylesheet" href="/css/code-blocks-buttons.css"/><script type="text/javascript" src="https://buttons.github.io/buttons.js"></script><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.0/clipboard.min.js"></script><script type="text/javascript" src="/js/custom.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/en"><img class="logo" src="/img/pulsar.svg" alt="Apache Pulsar"/></a><a href="/en/versions"><h3>2.8.2</h3></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class=""><a href="/docs/en/2.8.2/getting-started-standalone" target="_self">Docs</a></li><li class=""><a href="/en/download" target="_self">Download</a></li><li class=""><a href="/docs/en/2.8.2/client-libraries" target="_self">Clients</a></li><li class=""><a href="#restapis" target="_self">REST APIs</a></li><li class=""><a href="#cli" target="_self">Cli</a></li><li class=""><a href="/blog/" target="_self">Blog</a></li><li class=""><a href="#community" target="_self">Community</a></li><li class=""><a href="#apache" target="_self">Apache</a></li><li class=""><a href="https://pulsar-next.staged.apache.org/" target="_self">New Website (Beta)</a></li><span><li><a id="languages-menu" href="#"><img class="languages-icon" src="/img/language.svg" alt="Languages icon"/>English</a><div id="languages-dropdown" class="hide"><ul id="languages-dropdown-items"><li><a href="/docs/ja/2.8.2/security-token-client">日本語</a></li><li><a href="/docs/fr/2.8.2/security-token-client">Français</a></li><li><a href="/docs/ko/2.8.2/security-token-client">한국어</a></li><li><a href="/docs/zh-CN/2.8.2/security-token-client">中文</a></li><li><a href="/docs/zh-TW/2.8.2/security-token-client">繁體中文</a></li><li><a href="https://crowdin.com/project/apache-pulsar" target="_blank" rel="noreferrer noopener">Help Translate</a></li></ul></div></li><script> |
| const languagesMenuItem = document.getElementById("languages-menu"); |
| const languagesDropDown = document.getElementById("languages-dropdown"); |
| languagesMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (languagesDropDown.className == "hide") { |
| languagesDropDown.className = "visible"; |
| } else { |
| languagesDropDown.className = "hide"; |
| } |
| }); |
| </script></span></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/pulsar/edit/master/site2/docs/security-token-client.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Client Authentication using tokens</h1></header><article><div><span><h2><a class="anchor" aria-hidden="true" id="token-authentication-overview"></a><a href="#token-authentication-overview" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Token Authentication Overview</h2> |
| <p>Pulsar supports authenticating clients using security tokens that are based on |
| <a href="https://jwt.io/introduction/">JSON Web Tokens</a> (<a href="https://tools.ietf.org/html/rfc7519">RFC-7519</a>).</p> |
| <p>You can use tokens to identify a Pulsar client and associate with some "principal" (or "role") that |
| is permitted to do some actions (for example, publish messages to a topic or consume messages from a topic).</p> |
| <p>The administrator (or some automated service) typically gives a user a token string.</p> |
| <p>The compact representation of a signed JWT is a string that looks like as the following:</p> |
| <pre><code class="hljs">eyJhbGciOiJIUzI<span class="hljs-number">1</span><span class="hljs-symbol">NiJ9</span>.eyJzdWIiOiJKb<span class="hljs-number">2</span>UifQ.ipevR<span class="hljs-symbol">NuRP6</span>Hfl<span class="hljs-name">G8</span>cFK<span class="hljs-symbol">nmUPtypruRC4</span>fb<span class="hljs-number">1</span>DWtoLL<span class="hljs-number">62</span>SY |
| </code></pre> |
| <p>Application specifies the token when you are creating the client instance. An alternative is to pass a "token supplier" (a function that returns the token when the client library needs one).</p> |
| <p>See <a href="/docs/en/2.8.2/security-token-admin">Token authentication admin</a> for a reference on how to enable token |
| authentication on a Pulsar cluster.</p> |
| <h3><a class="anchor" aria-hidden="true" id="cli-tools"></a><a href="#cli-tools" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>CLI tools</h3> |
| <p><a href="/docs/en/2.8.2/reference-cli-tools">Command-line tools</a> like <a href="/docs/en/2.8.2/reference-pulsar-admin"><code>pulsar-admin</code></a>, <a href="/docs/en/2.8.2/reference-cli-tools#pulsar-perf"><code>pulsar-perf</code></a>, and <a href="/docs/en/2.8.2/reference-cli-tools#pulsar-client"><code>pulsar-client</code></a> use the <code>conf/client.conf</code> config file in a Pulsar installation.</p> |
| <p>You need to add the following parameters to that file to use the token authentication with CLI tools of Pulsar:</p> |
| <pre><code class="hljs css language-properties"><span class="hljs-attr">webServiceUrl</span>=<span class="hljs-string">http://broker.example.com:8080/</span> |
| <span class="hljs-attr">brokerServiceUrl</span>=<span class="hljs-string">pulsar://broker.example.com:6650/</span> |
| <span class="hljs-attr">authPlugin</span>=<span class="hljs-string">org.apache.pulsar.client.impl.auth.AuthenticationToken</span> |
| <span class="hljs-attr">authParams</span>=<span class="hljs-string">token:eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY</span> |
| </code></pre> |
| <p>The token string can also be read from a file, eg:</p> |
| <pre><code class="hljs">authParams=file:<span class="hljs-regexp">//</span><span class="hljs-regexp">/path/</span>to<span class="hljs-regexp">/token/</span>file |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="java-client"></a><a href="#java-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Java client</h3> |
| <pre><code class="hljs css language-java">PulsarClient client = PulsarClient.builder() |
| .serviceUrl(<span class="hljs-string">"pulsar://broker.example.com:6650/"</span>) |
| .authentication( |
| AuthenticationFactory.token(<span class="hljs-string">"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY"</span>) |
| .build(); |
| </code></pre> |
| <p>Similarly, one can also pass a <code>Supplier</code>:</p> |
| <pre><code class="hljs css language-java">PulsarClient client = PulsarClient.builder() |
| .serviceUrl(<span class="hljs-string">"pulsar://broker.example.com:6650/"</span>) |
| .authentication( |
| AuthenticationFactory.token(() -> { |
| <span class="hljs-comment">// Read token from custom source</span> |
| <span class="hljs-keyword">return</span> readToken(); |
| }) |
| .build(); |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="python-client"></a><a href="#python-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Python client</h3> |
| <pre><code class="hljs css language-python"><span class="hljs-keyword">from</span> pulsar <span class="hljs-keyword">import</span> Client, AuthenticationToken |
| |
| client = Client(<span class="hljs-string">'pulsar://broker.example.com:6650/'</span> |
| authentication=AuthenticationToken(<span class="hljs-string">'eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY'</span>)) |
| </code></pre> |
| <p>Alternatively, with a supplier:</p> |
| <pre><code class="hljs css language-python"> |
| <span class="hljs-function"><span class="hljs-keyword">def</span> <span class="hljs-title">read_token</span><span class="hljs-params">()</span>:</span> |
| <span class="hljs-keyword">with</span> open(<span class="hljs-string">'/path/to/token.txt'</span>) <span class="hljs-keyword">as</span> tf: |
| <span class="hljs-keyword">return</span> tf.read().strip() |
| |
| client = Client(<span class="hljs-string">'pulsar://broker.example.com:6650/'</span> |
| authentication=AuthenticationToken(read_token)) |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="go-client"></a><a href="#go-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Go client</h3> |
| <pre><code class="hljs css language-go">client, err := NewClient(ClientOptions{ |
| URL: <span class="hljs-string">"pulsar://localhost:6650"</span>, |
| Authentication: NewAuthenticationToken(<span class="hljs-string">"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY"</span>), |
| }) |
| </code></pre> |
| <p>Alternatively, with a supplier:</p> |
| <pre><code class="hljs css language-go">client, err := NewClient(ClientOptions{ |
| URL: <span class="hljs-string">"pulsar://localhost:6650"</span>, |
| Authentication: NewAuthenticationTokenSupplier(<span class="hljs-function"><span class="hljs-keyword">func</span> <span class="hljs-params">()</span> <span class="hljs-title">string</span></span> { |
| <span class="hljs-comment">// Read token from custom source</span> |
| <span class="hljs-keyword">return</span> readToken() |
| }), |
| }) |
| </code></pre> |
| <h3><a class="anchor" aria-hidden="true" id="c-client"></a><a href="#c-client" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>C++ client</h3> |
| <pre><code class="hljs css language-c++"><span class="hljs-meta">#<span class="hljs-meta-keyword">include</span> <span class="hljs-meta-string"><pulsar/Client.h></span></span> |
| |
| pulsar::ClientConfiguration <span class="hljs-built_in">config</span>; |
| <span class="hljs-built_in">config</span>.setAuth(pulsar::AuthToken::createWithToken(<span class="hljs-string">"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJKb2UifQ.ipevRNuRP6HflG8cFKnmUPtypruRC4fb1DWtoLL62SY"</span>)); |
| |
| <span class="hljs-function">pulsar::<span class="hljs-built_in">Client</span> <span class="hljs-title">client</span><span class="hljs-params">(<span class="hljs-string">"pulsar://broker.example.com:6650/"</span>, <span class="hljs-built_in">config</span>)</span></span>; |
| </code></pre> |
| </span></div></article></div><div class="docs-prevnext"></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#token-authentication-overview">Token Authentication Overview</a><ul class="toc-headings"><li><a href="#cli-tools">CLI tools</a></li><li><a href="#java-client">Java client</a></li><li><a href="#python-client">Python client</a></li><li><a href="#go-client">Go client</a></li><li><a href="#c-client">C++ client</a></li></ul></li></ul></nav></div><footer class="nav-footer" id="footer"><section class="copyright">Copyright © 2022 The Apache Software Foundation. All Rights Reserved. Apache, Apache Pulsar and the Apache feather logo are trademarks of The Apache Software Foundation.</section><span><script> |
| const community = document.querySelector("a[href='#community']").parentNode; |
| const communityMenu = |
| '<li>' + |
| '<a id="community-menu" href="#">Community <span style="font-size: 0.75em"> ▼</span></a>' + |
| '<div id="community-dropdown" class="hide">' + |
| '<ul id="community-dropdown-items">' + |
| '<li><a href="/en/contact">Contact</a></li>' + |
| '<li><a href="/en/contributing">Contributing</a></li>' + |
| '<li><a href="/en/coding-guide">Coding guide</a></li>' + |
| '<li><a href="/en/events">Events</a></li>' + |
| '<li><a href="https://twitter.com/Apache_Pulsar" target="_blank">Twitter ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/wiki" target="_blank">Wiki ❐</a></li>' + |
| '<li><a href="https://github.com/apache/pulsar/issues" target="_blank">Issue tracking ❐</a></li>' + |
| '<li><a href="https://pulsar-summit.org/" target="_blank">Pulsar Summit ❐</a></li>' + |
| '<li> </li>' + |
| '<li><a href="/en/resources">Resources</a></li>' + |
| '<li><a href="/en/team">Team</a></li>' + |
| '<li><a href="/en/powered-by">Powered By</a></li>' + |
| '</ul>' + |
| '</div>' + |
| '</li>'; |
| |
| community.innerHTML = communityMenu; |
| |
| const communityMenuItem = document.getElementById("community-menu"); |
| const communityDropDown = document.getElementById("community-dropdown"); |
| communityMenuItem.addEventListener("click", function(event) { |
| event.preventDefault(); |
| |
| if (communityDropDown.className == 'hide') { |
| communityDropDown.className = 'visible'; |
| } else { |
| communityDropDown.className = 'hide'; |
| } |
| }); |
| </script></span></footer></div><script>window.twttr=(function(d,s, id){var js,fjs=d.getElementsByTagName(s)[0],t=window.twttr||{};if(d.getElementById(id))return t;js=d.createElement(s);js.id=id;js.src='https://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js, fjs);t._e = [];t.ready = function(f) {t._e.push(f);};return t;}(document, 'script', 'twitter-wjs'));</script></body></html> |