Skip to main content

Authentication

The Telnyx WebRTC SDK supports three authentication methods. Use JWT for all production applications.

Overview

Use JWT (login_token) for all production applications. Credentials (login + password) are long-lived with no automatic rotation. JWTs expire after 24 hours and can be refreshed via TOKEN_EXPIRING_SOON.

JWT is the most secure authentication method. You generate a short-lived token on your backend and pass it to the SDK.

How It Works

Step 1: Create a Credential Connection

Create a SIP Credential Connection in the Telnyx Portal or via API:
See Credential Connections for full configuration options.

Step 2: Create a Telephony Credential

Each user needs their own credential. Never share one credential across multiple users.
See Telephony Credentials for full CRUD operations.

Step 3: Generate a JWT

Generate the JWT on your backend — never on the client. This requires your API key.
Response:
This token expires in 24 hours. You must handle refresh (see below). Node.js example:

Step 4: Use JWT in the SDK

Token Refresh

JWTs expire after 24 hours. Handle the TOKEN_EXPIRING_SOON warning to refresh without dropping the connection:
Start refreshing tokens at least 1 hour before expiry. The TOKEN_EXPIRING_SOON warning fires ~1 hour before expiration.

Method 2: Credential (Development Only)

Use login + password for local development and testing only.
When to use:
  • Local development and testing
  • Quick prototyping before setting up JWT infrastructure
When NOT to use:
  • Production applications
  • Multi-user scenarios where each user needs their own identity
  • Any environment where you need automatic token rotation
The login value is the sip_username from a Telephony Credential (e.g., gencrednb4ADiBVjsvgvxem0OwkeNfryiIwhaUSJMJXjiwY3Y). The password is set when creating the credential.

Method 3: Anonymous (AI Assistants)

Connect to an AI assistant without requiring a credential. The anonymous_login option accepts an object specifying the target:
Use cases:
  • Click-to-call widgets connecting users directly to an AI assistant
  • Embedding voice AI in web apps without managing credentials
Limitations:
  • Cannot receive inbound calls
  • No SIP identity — calls are outbound to the specified AI assistant only
  • Limited call control features

Continue a conversation

Pass a conversation_id to resume an existing conversation with the AI assistant:

Credential Hierarchy

Understanding how Telnyx auth resources relate to each other:
  • Credential Connection — SIP-level configuration (transport, codecs, webhook)
  • Telephony Credential — Individual identity (one per user)
  • JWT — Short-lived token generated from a credential
One credential per user. Never share a credential across multiple users. Each user should have their own credential and their own JWT. Sharing credentials causes registration conflicts — only the most recently connected device receives inbound calls.

Common Mistakes


Server-Side Token Generation

Here’s a complete Node.js/Express endpoint for generating JWTs:

See Also