Azure Web PubSub service data plane REST API reference

As illustrated by the above workflow graph, and also detailed workflow described in internals, your app server can send messages to clients or to manage the connected clients using REST APIs exposed by Web PubSub service. This article describes the REST APIs in detail.

Using REST API

Authenticate via Azure Web PubSub Service AccessKey

In each HTTP request, an authorization header with a JSON Web Token (JWT) is required to authenticate with Azure Web PubSub Service.

Signing Algorithm and Signature

HS256, namely HMAC-SHA256, is used as the signing algorithm.

You should use the AccessKey in Azure Web PubSub Service instance's connection string to sign the generated JWT token.

Claims

Below claims are required to be included in the JWT token.

Claim Type	Is Required	Description
aud	true	Should be the SAME as your HTTP request url. For example, a broadcast request's audience looks like: https://example.webpubsub.azure.com/api/hubs/myhub/:send?api-version=2022-11-01.
exp	true	Epoch time when this token will be expired.

A pseudo code in JS:

const bearerToken = jwt.sign({}, connectionString.accessKey, {
  audience: request.url,
  expiresIn: "1h",
  algorithm: "HS256",
});

Authenticate via Microsoft Entra token

Like using AccessKey, a JSON Web Token (JWT) is also required to authenticate the HTTP request.

The difference is, in this scenario, JWT Token is generated by Microsoft Entra ID.

Learn how to generate Microsoft Entra tokens

The credential scope used should be https://webpubsub.azure.com/.default.

You could also use Role Based Access Control (RBAC) to authorize the request from your server to Azure Web PubSub Service.

Learn how to configure Role Based Access Control roles for your resource

APIs

Operation Group	Description
Service Status	Provides operations to check the service status
Hub Operations	Provides operations to manage the connections and send messages to them.