Azure Web PubSub service data plane REST API reference

Diagram showing the Web PubSub service workflow.

As illustrated by the above workflow graph, and also detailed workflow described in internals, your app server can send messages to clients or to manage the connected clients using REST APIs exposed by Web PubSub service. This article describes the REST APIs in detail.

Using REST API

Authenticate via Azure Web PubSub Service AccessKey

In each HTTP request, an authorization header with a JSON Web Token (JWT) is required to authenticate with Azure Web PubSub Service.

Signing Algorithm and Signature

HS256, namely HMAC-SHA256, is used as the signing algorithm.

You should use the AccessKey in Azure Web PubSub Service instance's connection string to sign the generated JWT token.

Claims

Below claims are required to be included in the JWT token.

Claim Type Is Required Description
aud true Should be the SAME as your HTTP request url. For example, a broadcast request's audience looks like: https://example.webpubsub.azure.com/api/hubs/myhub/:send?api-version=2022-11-01.
exp true Epoch time when this token will be expired.

A pseudo code in JS:

const bearerToken = jwt.sign({}, connectionString.accessKey, {
  audience: request.url,
  expiresIn: "1h",
  algorithm: "HS256",
});

Authenticate via Microsoft Entra token

Like using AccessKey, a JSON Web Token (JWT) is also required to authenticate the HTTP request.

The difference is, in this scenario, JWT Token is generated by Microsoft Entra ID.

Learn how to generate Microsoft Entra ID Tokens

You could also use Role Based Access Control (RBAC) to authorize the request from your server to Azure Web PubSub Service.

Learn how to configure Role Based Access Control roles for your resource

APIs

Operation Group Description
Service Status Provides operations to check the service status
Hub Operations Provides operations to manage the connections and send messages to them.