Skip to main content
An Auth Token is a credential that allows a user to authenticate with CometChat SDKs on the client side. Each token is tied to a specific user and can be used across multiple devices.

Available operations

How auth tokens work

  1. Your server creates a user via the Create User API (optionally with withAuthToken: true).
  2. If not created during user creation, your server generates an auth token via Create Auth Token.
  3. Your server passes the auth token to the client application.
  4. The client SDK uses the token to log in: CometChat.login(authToken).
Auth tokens do not expire by default, enabling persistent sessions across multiple devices simultaneously.To prevent token accumulation and potential abuse, CometChat enforces a rolling retention policy: only the most recent 100 auth tokens per user are kept active. When a new token is issued and the limit is exceeded, the oldest tokens are automatically archived and invalidated. This ensures system integrity without requiring manual token management.If your application requires explicit session control, use the Flush Auth Tokens endpoint to revoke all active tokens for a user, or Delete to revoke a specific token.

Relationships

  • Users — Every auth token belongs to a specific User. The user must exist before a token can be created.
  • Sessions — Each auth token represents an active session. Flushing all tokens logs the user out of every device.

Auth token properties

Error handling

For the complete list of error codes, see Error Guide. For all system limits (token retention policy, etc.), see Properties and Constraints.