Client Authenticaion

I have an application - think of it like an eHealth application where each meeting participant must be verified as authentic. My application has the user credentials and can validate itself of course but my question is: What is the best approach to implement a session for a user using openVidu that ensures that the session is being initiated from the authentic user and not someone that has copied out the content of the website data (the session ID) - basicallly, how do I implement session authentication?

Is there an existing readme, faq or doc? Maybe even a repo that does this?

Reading the docs it sorta sounds like:

  1. Request a new session with REST API - OpenVidu Docs that will be used for the all parties in the call
  2. Request a new connection per user with REST API - OpenVidu Docs
  3. Pass the connection token to the web interface and have the JS use that to connect

Does that sound right?

That’s right. Security at the client side is guranteed by the token logic. You may only create Sessions from your backend using REST API and your OpenVidu Server secret. You may only create Connections for your Session from your backend using REST API and your OpenVidu Server secret. The only way a final user can “occupy the slot” of a Connection is by consuming its token.