Securely Implement Pusher Private Channels with PHP and JavaScript
This guide explains how to restrict access to Pusher channels using private channels, covering authentication flow, required server‑side PHP setup, client‑side JavaScript integration, and step‑by‑step code examples for publishing and receiving secure real‑time messages.
When you need to limit access to a channel, use Pusher private channels; subscription requires an authorized HTTP request to a configurable authentication URL.
Security Communication Architecture
Authorization steps : To use Pusher private channels securely, follow these steps:
Instantiate Pusher : Create a Pusher instance on the client with your app key and configuration.
Connect WebSocket : Call the connection method to open a WebSocket link to the server.
Unique client : Each socket_id returned by pusher:connection_established is unique.
Subscribe private channel : After the connection, call subscribe with the private channel name and authentication data.
Perform authentication : The user must be authorized; send a request containing the channel name and socket_id to your auth endpoint, which returns a JSON signature.
Configure auth URL : Set the client’s authentication URL; the server should respond with JSON like {"auth":"key:signature"}.
Trigger channel callbacks : Once subscribed, the server can trigger events that the client receives.
Authentication Setup
1. Install dependencies composer require pusher/pusher-php-server 2. Authorization endpoint pseudocode (PHP)
public function pusherAuth(Request $request) {
$param = $request->post();
if (!isset($param['channel_name']) || !isset($param['socket_id'])) {
return 403;
}
$options = array(
'cluster' => 'ap3',
'useTLS' => true
);
$pusher = new Pusher('108365f54d1d934e76781', '9cfbfd3b06290c427de62', '13394324', $options);
$presenceData = array('name' => 'Tinywan');
return $pusher->presenceAuth($param['channel_name'], $param['socket_id'], '1', $presenceData);
}3. Authentication endpoint URL
http://127.0.0.1:8787/test/pusher-authDemo Code
1. Client code (private_channel_client.html)
<!DOCTYPE html>
<head>
<title>Private channels</title>
<script src="https://js.pusher.com/7.0/pusher.min.js"></script>
<script>
// (1) Create instance
const pusher = new Pusher('108365f54d1d934e76781', {
cluster: 'ap3',
authEndpoint: 'http://127.0.0.1:8787/test/pusher-auth'
});
// (2) Subscribe channel
var uid = 1;
var privateChannel = pusher.subscribe('private-user-' + uid);
// (3) Bind event
privateChannel.bind('private-event', function(data) {
alert(JSON.stringify(data));
});
</script>
</head>
<body>
<h1>Private channels Test</h1>
</body>2. Server code (private_channel_server.php)
<?php
require_once '../../vendor/autoload.php';
$options = array(
'cluster' => 'ap3',
'useTLS' => true
);
$pusher = new Pusher\Pusher('108365f54d1d934e76718', '9cfbfd3b06290c427d1e6', '13394341', $options);
$data['message'] = 'Hi Tinywan private 2022';
$pusher->trigger('private-user-1', 'private-event', $data);Server Push Message
Client Receives Message
Authorization response
Received message
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Tech Hub
Sharing cutting-edge internet technologies and practical AI resources.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.