Azure Web PubSub service data plane REST API reference
As illustrated by the above workflow graph, and also detailed workflow described in internals, your app server can send messages to clients or to manage the connected clients using REST APIs exposed by Web PubSub service. This article describes the REST APIs in detail.
Important
Raw connection strings appear in this article for demonstration purposes only.
A connection string includes the authorization information required for your application to access Azure Web PubSub service. The access key inside the connection string is similar to a root password for your service. In production environments, always protect your access keys. Use Azure Key Vault to manage and rotate your keys securely and secure your connection with WebPubSubServiceClient.
Avoid distributing access keys to other users, hard-coding them, or saving them anywhere in plain text that is accessible to others. Rotate your keys if you believe they may have been compromised.
Using REST API
Authenticate via Azure Web PubSub Service AccessKey
In each HTTP request, an authorization header with a JSON Web Token (JWT) is required to authenticate with Azure Web PubSub Service.
Signing Algorithm and Signature
HS256, namely HMAC-SHA256, is used as the signing algorithm.
You should use the AccessKey in Azure Web PubSub Service instance's connection string to sign the generated JWT token.
Claims
Below claims are required to be included in the JWT token.
| Claim Type | Is Required | Description |
|---|---|---|
aud |
true | Should be the SAME as your HTTP request url. For example, a broadcast request's audience looks like: https://example.webpubsub.azure.com/api/hubs/myhub/:send?api-version=2022-11-01. |
exp |
true | Epoch time when this token will be expired. |
A pseudo code in JS:
Raw connection strings appear in this article for demonstration purposes only. In production environments, always protect your access keys. Use Azure Key Vault to manage and rotate your keys securely and secure your connection with WebPubSubServiceClient.
const bearerToken = jwt.sign({}, connectionString.accessKey, {
audience: request.url,
expiresIn: "1h",
algorithm: "HS256",
});
Authenticate via Microsoft Entra token
Like using AccessKey, a JSON Web Token (JWT) is also required to authenticate the HTTP request.
The difference is, in this scenario, JWT Token is generated by Microsoft Entra ID.
Learn how to generate Microsoft Entra tokens
The credential scope used should be https://webpubsub.azure.com/.default.
You could also use Role Based Access Control (RBAC) to authorize the request from your server to Azure Web PubSub Service.
Learn how to configure Role Based Access Control roles for your resource
APIs
| Operation Group | Description |
|---|---|
| Service Status | Provides operations to check the service status |
| Hub Operations | Provides operations to manage the connections and send messages to them. |