Azure Web PubSub service data plane REST API reference

Diagram showing the Web PubSub service workflow.

As illustrated by the above workflow graph, and also detailed workflow described in internals, your app server can send messages to clients or to manage the connected clients using REST APIs exposed by Web PubSub service. This article describes the REST APIs in detail.


Authenticate via Azure Web PubSub Service AccessKey

In each HTTP request, an authorization header with a JSON Web Token (JWT) is required to authenticate with Azure Web PubSub Service.

Signing Algorithm and Signature

HS256, namely HMAC-SHA256, is used as the signing algorithm.

You should use the AccessKey in Azure Web PubSub Service instance's connection string to sign the generated JWT token.


Below claims are required to be included in the JWT token.

Claim Type Is Required Description
aud true Should be the SAME as your HTTP request url, trailing slash and query parameters not included. For example, a broadcast request's audience looks like:
exp true Epoch time when this token will be expired.

A pseudo code in JS:

const bearerToken = jwt.sign({}, connectionString.accessKey, {
         audience: request.url,
         expiresIn: "1h",
         algorithm: "HS256",

Authenticate via Azure Active Directory Token (Azure AD Token)

Like using AccessKey, a JSON Web Token (JWT) is also required to authenticate the HTTP request.

The difference is, in this scenario, JWT Token is generated by Azure Active Directory.

Learn how to generate Azure AD Tokens

The credential scope used should be

You could also use Role Based Access Control (RBAC) to authorize the request from your server to Azure Web PubSub Service.

Learn how to configure Role Based Access Control roles for your resource


Operation Group Description
Service Status Provides operations to check the service status
Hub Operations Provides operations to manage the connections and send messages to them.