Skip to main content

Introduction

The Plivo Browser SDK supports two authentication methods for registering SIP endpoints:
  1. Username/Password: client.login(username, password)
  2. JWT Access Token: client.loginWithAccessToken(jwt) (recommended, added in v2.2.16)
JWT tokens are short-lived, server-signed tokens that authenticate a browser session against a Plivo SIP endpoint without exposing endpoint credentials to the client. This makes JWT the recommended approach for production applications.
JWT authentication requires plivo-browser-sdk v2.2.16 or later. Earlier versions only support username/password authentication.

How it works

  1. Your browser app requests a JWT from your backend server.
  2. Your server calls the Plivo REST API to generate a signed token.
  3. Plivo returns a signed JWT.
  4. Your server passes the JWT to the browser.
  5. The Browser SDK uses the JWT to register with Plivo via loginWithAccessToken().
  6. Plivo validates the token and completes SIP registration over WebRTC.
JWTs must be generated server-side via the Plivo REST API. Locally-signed JWTs (using libraries like jsonwebtoken) are rejected by Plivo’s SIP infrastructure, even if signed with your auth_token.

Prerequisites

Before generating JWT tokens, you need:
  • A Plivo account with auth_id and auth_token (sign up)
  • A Plivo Application that defines your answer and hangup webhook URLs
  • A Plivo Endpoint linked to the application
  • plivo-browser-sdk v2.2.16+ installed in your frontend
If you don’t have an application and endpoint yet, see Setting up an application and endpoint below.

Generating a JWT token

Use the Plivo REST API to generate a signed JWT for a specific endpoint.

API endpoint

Authentication

Use HTTP Basic Auth with your Plivo auth_id and auth_token.

Request body

Permissions

The per object controls what the authenticated endpoint can do:

Response

A successful request returns a JSON object containing the signed JWT:
The returned JWT has the following structure:
The cty: "plivo;v=1" header is added automatically by the Plivo REST API when generating tokens. Plivo’s server validates this field during SIP registration.

Server-side examples

Browser SDK integration

Login with a JWT

After fetching a JWT from your server, use loginWithAccessToken() to register with Plivo:

Making a call after login

Once registered, you can make outbound calls:

Refreshing tokens

JWT tokens are short-lived. If you need to re-register (for example, after a network disconnect), fetch a new token and call loginWithAccessToken() again:

Setting up an application and endpoint

If you don’t already have a Plivo Application and Endpoint, create them before generating JWT tokens.

Create an application

A Plivo Application defines the webhook URLs that Plivo calls when a browser-initiated call connects.
The response includes an app_id. Save this for creating endpoints and generating JWT tokens. For more details, see the Application API reference.

Create an endpoint

A Plivo Endpoint is a SIP identity that the Browser SDK registers as. Each endpoint must be linked to an application.
Endpoint constraints:
  • username: Alphanumeric characters only, 1-25 characters, must start with an alphabetic character.
  • alias: Letters, numbers, hyphens, and underscores only.
  • password: At least 5 characters. Only used at creation time; the Browser SDK authenticates via JWT, not the endpoint password.
The endpoint username from the response is the value you pass as sub when generating JWT tokens. For more details, see the Endpoint API reference.

Error codes

When JWT authentication fails, the onLoginFailed event returns a numeric error code. Use getErrorStringByErrorCodes() to get a human-readable message.

Handling errors in code

Best practices

  1. Keep tokens short-lived. A validity of 5 minutes is recommended. The Browser SDK maintains the SIP registration after login; re-authentication is only needed when the session disconnects.
  2. Match the endpoint to the application. Each endpoint is linked to a specific application via app_id. The app field in the JWT should reference the same application the endpoint is registered to, otherwise call routing may behave unexpectedly.
  3. Never expose credentials to the browser. Your auth_id and auth_token should only be used server-side. The browser should only receive the signed JWT.
  4. One endpoint per concurrent session. While Plivo allows multiple simultaneous registrations for the same endpoint, this is only reliable for outbound-only use cases. For inbound call routing, use a unique endpoint per browser session.