javascript - how to hide pubnub keys when using JS

Question

I opened a ticket in pubnub and also read: https://help.pubnub.com/entries/22251291-Can-I-Hide-my-Application-Keys-

But I still can't understand how can I stop the user from seeing my keys as it is still on client side even after obfuscation.

What I want to do is something I read in this post: PubNub publish message between two Private Channels

1. Create a public channel and a private the channel for each user
2. Hide the keys from the user

I'm not sure how to create a private channel with custom keys that the user can't see.

---

EDIT: I was able to understand the flow of auth_key but can't find the php equivalency for the JS crypto lib to grant permission. any idea on how to implement it in PHP?

Answer 1

You can't hide keys that are transmitted to the client and are accessible in JavaScript.

However, what you can do is restrict who can read and write to channels by using an auth_key along with your publish and subscribe keys. PubNub recently released the PubNub Access Manager to enable this. The auth_key will be specific to each user.

1. The users auth_key will allow that user to read and write to their own private channel. You will need to set permissions so that nobody else will be able to read or write to this channel.
2. The users auth_key will give them permission to read and write to their own public channel. Others can read, but cannot write to this channel.

Details on exactly how to do this should probably be asked in another question. The PAM getting started guide should be the best place to start.