Overview
Your frontend app uses a JWT access token to authenticate with LiveKit and specify which agent to dispatch. Generating a token requires API keys so it must be created on a backend server, sent to the frontend, and then provided to the session for connection. To simplify this process, the session API utilizes a TokenSource abstraction that handles the details for you. The SDKs ship with a few different types of TokenSource to make it easy to get started and move to production.
TokenSource
TokenSource abstracts away token fetching, caching, and refreshing, and integrates with Session for automatic room connection and agent dispatch. The following types of TokenSource are available:
| Type | Description |
|---|---|
| Sandbox | LiveKit Cloud generates tokens for you, which is useful for development and testing but insecure in production. |
| Endpoint | Provide a standardized token endpoint on your own backend, with your own authentication headers, and let LiveKit manage the token lifecycle. |
| Custom | Provide your own custom asynchronous token generation mechanism. |
| Literal | Directly provide tokens that you have generated and fetched yourself. |
For lower-level control, you can generate tokens manually and use Room.connect directly. See Tokens & grants for more information on token generation.
Authentication flow
Authentication has three main steps:
Token generation: Your backend (or LiveKit Cloud sandbox) generates a JWT token that includes agent dispatch information.
Frontend connection: Your frontend uses the token to connect to a LiveKit room. With
Session, this happens automatically --TokenSourcefetches the token andSessionhandles the connection.Agent dispatch: LiveKit reads the agent dispatch information and assigns the specified agent to the room.
The diagram below shows the different paths you can take for token generation, and how they fit into the flow:
Loading diagram…
Choose a workflow
Pick a token generation approach based on where you are in development.
Development workflow
Use LiveKit Cloud's sandbox token server for quick development and testing. No backend code needed -- your frontend uses a sandbox TokenSource.
Sandbox token server
Get detailed setup instructions and frontend code examples for all platforms.
Production workflow
For production, build a standardized token endpoint or use your existing token generation infrastructure with a custom TokenSource.
Token endpoints
Build your own token endpoint for production use. Your backend generates tokens that include agent dispatch, and your frontend uses an endpoint TokenSource.
Token endpoints
Get the endpoint format, implementation guide, and production-ready backend examples.
Custom token generation
If you already have a token generation mechanism, use a custom TokenSource to integrate it with Session. You get token caching and automatic refreshing while using your existing infrastructure.
Custom token generation
Learn how to integrate your existing token generation with Session APIs.
Alternative: Manual token generation
If you prefer to generate tokens yourself and use Room.connect directly, you skip Session entirely and handle room connection and agent lifecycle yourself. You must include agent dispatch information when you create the token.
Tokens & grants
Learn about token structure, grants, permissions, and how to create tokens manually.