Private channels
Channels prefixed with private- require server-side authorization before a client can subscribe. Use them for per-user feeds, paid-tier features, or anything you want to gate.
How auth works
- Client calls
pusher.subscribe('private-user.42'). - The Pusher SDK posts
socket_id+channel_nameto your auth endpoint (/broadcasting/authby default). - Your endpoint checks the user is allowed to subscribe to that channel, then returns a signed token.
- SDK sends the token to Mawjly. Mawjly verifies the signature with your secret. If it matches, the subscription is granted.
You sign with your secret so the auth code must run on your server. Never embed the secret in client bundles.
Client
const pusher = new Pusher('YOUR_KEY', {
wsHost: 'ws-sa.mawjly.com',
wssPort: 443,
forceTLS: true,
cluster: 'sa',
authEndpoint: '/broadcasting/auth',
// For Sanctum / cookie-based auth:
auth: { headers: { 'X-Requested-With': 'XMLHttpRequest' } },
});
const channel = pusher.subscribe('private-user.42');
channel.bind('order.shipped', (e) => console.log(e));Server (sketch)
The auth response shape Mawjly expects:
{ "auth": "<key>:<hex_hmac_sha256>" }Where the HMAC is computed over socket_id:channel_name using your app secret. Most server SDKs have a one-line helper:
- Laravel — automatic via
Broadcast::channel(...)inroutes/channels.php - PHP —
$pusher->authorizeChannel($channel, $socketId) - Node —
pusher.authorizeChannel(socketId, channel) - Python —
p.authenticate(channel=..., socket_id=...)
See Authorization endpoints for full code.
Client events
If your app has client events enabled (Startup tier and above), browsers can publish events on private channels (prefix client-). Useful for typing indicators, cursor positions, etc.
channel.trigger('client-typing', { user: 'alice' });Client events:
- Only work on
private-*andpresence-*channels (never on public) - Are not echoed back to the publisher
- Are subject to a per-second rate limit (100/sec by default)