Introduction
The Plivo Browser SDK supports two authentication methods for registering SIP endpoints:- Username/Password:
client.login(username, password) - JWT Access Token:
client.loginWithAccessToken(jwt)(recommended, added in v2.2.16)
JWT authentication requires
plivo-browser-sdk v2.2.16 or later. Earlier versions only support username/password authentication.How it works
- Your browser app requests a JWT from your backend server.
- Your server calls the Plivo REST API to generate a signed token.
- Plivo returns a signed JWT.
- Your server passes the JWT to the browser.
- The Browser SDK uses the JWT to register with Plivo via
loginWithAccessToken(). - Plivo validates the token and completes SIP registration over WebRTC.
JWTs must be generated server-side via the Plivo REST API. Locally-signed JWTs (using libraries like
jsonwebtoken) are rejected by Plivo’s SIP infrastructure, even if signed with your auth_token.Prerequisites
Before generating JWT tokens, you need:- A Plivo account with
auth_idandauth_token(sign up) - A Plivo Application that defines your answer and hangup webhook URLs
- A Plivo Endpoint linked to the application
plivo-browser-sdkv2.2.16+ installed in your frontend
Generating a JWT token
Use the Plivo REST API to generate a signed JWT for a specific endpoint.API endpoint
Authentication
Use HTTP Basic Auth with your Plivoauth_id and auth_token.
Request body
Permissions
Theper object controls what the authenticated endpoint can do:
Response
A successful request returns a JSON object containing the signed JWT:The
cty: "plivo;v=1" header is added automatically by the Plivo REST API when generating tokens. Plivo’s server validates this field during SIP registration.Server-side examples
- Node.js
- Python
- cURL
Browser SDK integration
Login with a JWT
After fetching a JWT from your server, useloginWithAccessToken() to register with Plivo:
Making a call after login
Once registered, you can make outbound calls:Refreshing tokens
JWT tokens are short-lived. If you need to re-register (for example, after a network disconnect), fetch a new token and callloginWithAccessToken() again:
Setting up an application and endpoint
If you don’t already have a Plivo Application and Endpoint, create them before generating JWT tokens.Create an application
A Plivo Application defines the webhook URLs that Plivo calls when a browser-initiated call connects.- cURL
- Python
- Node.js
app_id. Save this for creating endpoints and generating JWT tokens.
For more details, see the Application API reference.
Create an endpoint
A Plivo Endpoint is a SIP identity that the Browser SDK registers as. Each endpoint must be linked to an application.- cURL
- Python
- Node.js
Endpoint constraints:
username: Alphanumeric characters only, 1-25 characters, must start with an alphabetic character.alias: Letters, numbers, hyphens, and underscores only.password: At least 5 characters. Only used at creation time; the Browser SDK authenticates via JWT, not the endpoint password.
sub when generating JWT tokens. For more details, see the Endpoint API reference.
Error codes
When JWT authentication fails, theonLoginFailed event returns a numeric error code. Use getErrorStringByErrorCodes() to get a human-readable message.
Handling errors in code
Best practices
- Keep tokens short-lived. A validity of 5 minutes is recommended. The Browser SDK maintains the SIP registration after login; re-authentication is only needed when the session disconnects.
-
Match the endpoint to the application. Each endpoint is linked to a specific application via
app_id. Theappfield in the JWT should reference the same application the endpoint is registered to, otherwise call routing may behave unexpectedly. -
Never expose credentials to the browser. Your
auth_idandauth_tokenshould only be used server-side. The browser should only receive the signed JWT. - One endpoint per concurrent session. While Plivo allows multiple simultaneous registrations for the same endpoint, this is only reliable for outbound-only use cases. For inbound call routing, use a unique endpoint per browser session.