Users & Tokens

Creating users

Stream Users require only an ID to be created. Users can be created with the role of user or admin. The role will be set to user if a value is not provided in the request. There are additional properties you can provide to further describe your users.

The name and image fields are special fields that are supported by client-side SDKs.

You can provide additional data for the user object using the custom field.

JavaScript

const newUser: UserObjectRequest = {
  id: 'userid',
  role: 'user',
  custom: {
    color: 'red',
  },
  name: 'This is a test user',
  image: 'link/to/profile/image',
};
await client.upsertUsers({
  users: {
    [newUser.id]: newUser,
  },
});

Python

from getstream.models import UserRequest

client.upsert_users(
    UserRequest(
        id="user_id",
        role="user",
        custom={"color": "red"},
        name="This is a test user",
        image="link/to/profile/image",
    )
)

cURL

curl -X POST https://video.stream-io-api.com/api/v2/users?api_key=${API_KEY} \
-H "Authorization: ${TOKEN}" \
-H "stream-auth-type: jwt" \
-H "Content-Type: application/json" \
-d '{
  "users": {
    "john": {
      "id": "john",
      "role": "user",
      "custom": {
        "color": "red"
      },
      "name": "John",
      "image": "link/to/profile/image"
    }
  }
}'

Updating users

There are two ways to update user objects:

• Updating will replace the existing user object
• Partial update will let you choose which fields you want to change/unset

JavaScript

const user: UserObjectRequest = {
  id: 'userid',
  role: 'user',
  custom: {
    color: 'red',
  },
  name: 'This is a test user',
  image: 'link/to/profile/image',
};
client.upsertUsers({
  users: {
    [user.id]: user,
  },
});

// or
client.updateUsersPartial({
  users: [
    {
      id: user.id,
      set: {
        color: 'blue',
      },
      unset: ['name'],
    },
  ],
});

Python

client.upsert_users(UserRequest(
  id= 'userid',
  role= 'user',
  custom= {
    "color": 'red',
  },
  name= 'This is a test user',
  image= 'link/to/profile/image',
))

# or
client.update_users_partial(
    users=[
        UpdateUserPartialRequest(
            id="userid",
            set={
                "color": "blue",
            },
            unset=["name"],
        )
    ],
)

cURL

# Upserting a user, all existing user data will be overridden
curl -X POST https://video.stream-io-api.com/api/v2/users?api_key=${API_KEY} \
  -H "Authorization: ${TOKEN}" \
  -H "stream-auth-type: jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "users": {
      "john": {
        "id": "john",
        "role": "user",
        "custom": {
          "color": "red"
        },
        "name": "John",
        "image": "link/to/profile/image"
      }
    }
  }'

# Partial update
curl -X PATCH https://video.stream-io-api.com/api/v2/users?api_key=${API_KEY} \
  -H "Authorization: ${TOKEN}" \
  -H "stream-auth-type: jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "users": [
      {
        "id": "john",
        "set": {
          "color": "blue"
        },
        "unset": ["name"]
      }
    ]
  }'

Anonymous users

Anonymous users are users that are not authenticated. It's common to use this for watching a livestream or similar where you aren't authenticated. Anonymous users can be connected using client-side SDKs. Anonymous users are not counted toward your MAU.

Guest users

Guest users are temporary user accounts. You can use it to temporarily give someone a name and image when joining a call. Guest users can be created client-side. Guest users are counted towards your MAU usage.

Deactivating and deleting users

While it is usually safer for data retention to deactivate a user, some use cases require completely deleting a user and their data.

Deactivating a user means:

• the user can't connect to Stream API
• their data will be retained
• a deactivated user can be reactivated

Deleting a user means:

• the user can't connect to Stream API
• their data won't appear in user queries

Delete has the following opitions:

Name	Type	Description	Optional
user	Enum (soft, pruning, hard)	- Soft: marks user as deleted and retains all user data. - Pruning: marks user as deleted and nullifies user information. - Hard: deletes user completely - this requires hard option for messages and conversation as well.	Yes
conversations	Enum (soft, hard)	- Soft: marks all conversation channels as deleted (same effect as Delete Channels with 'hard' option disabled). - Hard: deletes channel and all its data completely including messages (same effect as Delete Channels with 'hard' option enabled).	Yes
messages	Enum (soft, pruning, hard)	- Soft: marks all user messages as deleted without removing any related message data. - Pruning: marks all user messages as deleted, nullifies message information and removes some message data such as reactions and flags. - Hard: deletes messages completely with all related information.	Yes
new_channel_owner_id	string	Channels owned by hard-deleted users will be transferred to this userID. If you doesn't provide a value, the channel owner will have a system generated ID like delete-user-8219f6578a7395g	Yes

JavaScript

client.deleteUsers({ user_ids: ['<id>'] });

//restore
client.restoreUsers({ user_ids: ['<id>'] });

Python

client.delete_users(user_ids=["<id>"])

# restore
client.restore_users(user_ids=["<id>"])

cURL

# Delete users
curl -X POST https://video.stream-io-api.com/api/v2/users/delete?api_key=${API_KEY} \
  -H "Authorization: ${TOKEN}" \
  -H "stream-auth-type: jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "user_ids": ["sara"]
  }'

# Restore users
curl -X POST https://video.stream-io-api.com/api/v2/users/restore?api_key=${API_KEY} \
  -H "Authorization: ${TOKEN}" \
  -H "stream-auth-type: jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "user_ids": ["sara"]
  }'

JavaScript

client.deactivateUser({
  user_id: '<id>',
});

//reactivate
client.reactivateUsers({
  user_ids: ['<id>'],
});

// deactivativating users in bulk can take some time
const deactivateResponse = client.deactivateUsers({
  user_ids: ['<id1>', '<id2>'...],
});

// you need to poll this endpoint
const taskResponse = await client.getTaskStatus({id: deactivateResponse.task_id})

console.log(taskResponse.status === 'completed');

Python

# deactivate one user
client.deactivate_user(user_id=alice.id)

# reactivates the user
client.reactivate_user(user_id=alice.id)

# deactivates users in bulk, this is an async operation
response = client.deactivate_users(user_ids=[alice.id, bob.id])
task_id = response.data.task_id

# get information about the task
task_status = client.get_task(task_id)

# just an example, in reality it can take a few seconds for a task to be processed
if task_status.data.status == "completed":
    print(task_status.data.result)

cURL

# Deactivate users
curl -X POST https://video.stream-io-api.com/api/v2/users/deactivate?api_key=${API_KEY} \
  -H "Authorization: ${TOKEN}" \
  -H "stream-auth-type: jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "user_ids": ["sara"]
  }'

# Reactivate users
curl -X POST https://video.stream-io-api.com/api/v2/users/deactivate?api_key=${API_KEY} \
  -H "Authorization: ${TOKEN}" \
  -H "stream-auth-type: jwt" \
  -H "Content-Type: application/json" \
  -d '{
    "user_ids": ["sara"]
  }'

# Reactivate users in bulk can take some time, you can poll task status using the task id from the response
# When finished, task status will be completed
curl -X GET https://video.stream-io-api.com/api/v2/tasks/${TASK_ID}?api_key=${API_KEY} \
    -H "Authorization: ${TOKEN}" \
    -H "stream-auth-type: jwt"

User tokens

Stream uses JWT (JSON Web Tokens) to authenticate chat users, enabling them to log in. Knowing whether a user is authorized to perform certain actions is managed separately via a role-based permissions system. Tokens need to be generated server-side.

You can optionally provide an expiration time. By default, tokens are valid for 1 hour.

JavaScript

const userId = 'john';
// exp is optional (by default the token is valid for an hour)
const exp = Math.round(new Date().getTime() / 1000) + 60 * 60;
client.createToken(userId, exp);

Python

# in this example we use Django
# but you can use any framework you like
import time
from django.contrib.auth.decorators import login_required
from django.http import JsonResponse

# The user token endpoint is protected with the login_required decorator.
@login_required
def create_user_token(request):
    # The 'user_id' is retrieved from the request's user instance.
    user_id = request.user.id

    # the token will be valid for 1 hour
    exp = 3600

    # Here client is Stream client and it's called with the 'user_id' and the expiration time.
    token = client.create_token(user_id, expiration=exp)

    # The token is then returned in the response.
    return JsonResponse({"token": token})

Bash

HEADER=$(echo -n '{"alg": "HS256", "typ": "JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=');
USER_ID='<user id>';
CURRENT_TIMESTAMP=$(date +%s);
HOUR_FROM_NOW=$((CURRENT_TIMESTAMP + 3600))
PAYLOAD=$(echo -n '{"user_id": "'${USER_ID}'", "iat": '${CURRENT_TIMESTAMP}', "exp": '${HOUR_FROM_NOW}'}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=');
SECRET='<API secret>';
SIGNATURE=$(echo -n ${HEADER}.${PAYLOAD} | openssl dgst -sha256 -hmac ${SECRET} -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=');

echo "${HEADER}.${PAYLOAD}.${SIGNATURE}"

You need to provide the generated tokens to the client SDKs. Stream SDKs accept a token provider, that can be called to retrieve and renew tokens. You need to implement the token provider in your own application, this is usually an HTTP endpoint.

Call tokens

Call tokens contain a list of call IDs. When a user utilizes a call token, they will automatically be assigned the membership role for all the calls specified in the token’s claims. Additionally, the token may optionally include alternative roles, such as admin or moderator.

Note: Call tokens are designed to grant additional access, not restrict it. Most call types let regular users join calls. If all users can access any call, call tokens won't change this. Remove call access from the user role and grant it to specific members instead.

JavaScript

const userId = 'john';
// exp is optional (by default the token is valid for an hour)
const exp = Math.round(new Date().getTime() / 1000) + 60 * 60;

const call_cids = ['default:call1', 'livestream:call2'];

client.createCallToken(userId, call_cids, exp);

Python

user_id = "john"

# exp and iat are optional, token will be valid for 1 hour
exp = 3600

call_cids = ["default:call1", "livestream:call2"]

client.create_call_token(user_id=user_id, expiration=exp, call_cids=call_cids)

Bash

HEADER=$(echo -n '{"alg": "HS256", "typ": "JWT"}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=');
USER_ID='<user id>';
CURRENT_TIMESTAMP=$(date +%s);
HOUR_FROM_NOW=$((CURRENT_TIMESTAMP + 3600))
CALL_CID1='livestream:1';
CALL_CID2='livestream:2';
PAYLOAD=$(echo -n '{"user_id": "'${USER_ID}'", "call_cids": ["'${CALL_CID1}'", "'${CALL_CID2}'"], "iat": '${CURRENT_TIMESTAMP}', "exp": '${HOUR_FROM_NOW}'}' | openssl base64 -e -A | tr '+/' '-_' | tr -d '=');
SECRET='<API secret>';
SIGNATURE=$(echo -n ${HEADER}.${PAYLOAD} | openssl dgst -sha256 -hmac ${SECRET} -binary | openssl base64 -e -A | tr '+/' '-_' | tr -d '=');

echo "${HEADER}.${PAYLOAD}.${SIGNATURE}"