Developer documentation
Your backend publishes over HTTP. Browsers and apps subscribe with socket.io-client. Keys come from this portal — never mix up publish vs subscribe.
POST /publish with App ID + publish key
Socket.IO rooms per app + channel
auth + subscribe key, then listen for events
| Credential | Use | Where |
|---|---|---|
App ID |
Identifies your app | Publish header + client auth |
Publish key pk_live_… |
Authorize HTTP publishes | Server only — env / secrets manager |
Subscribe key sub_live_… |
Socket.IO connection | Clients (treat as sensitive client credential) |
POST to __BASE__/publish with JSON body
channel, event, and optional data.
curl -X POST "__BASE__/publish" \
-H "Content-Type: application/json" \
-H "X-App-Id: YOUR_APP_ID" \
-H "Authorization: Bearer YOUR_PUBLISH_KEY" \
-d '{"channel":"orders.42","event":"order.updated","data":{"id":42}}'
await fetch(`${process.env.REALTIME_URL}/publish`, {
method: "POST",
headers: {
"Content-Type": "application/json",
"X-App-Id": process.env.REALTIME_APP_ID,
Authorization: `Bearer ${process.env.REALTIME_PUBLISH_KEY}`,
},
body: JSON.stringify({
channel: "orders.42",
event: "order.updated",
data: { id: 42 },
}),
});
Install socket.io-client. Pass App ID and subscribe key in
handshake auth — not query strings.
import { io } from "socket.io-client";
const socket = io("YOUR_REALTIME_ORIGIN", {
transports: ["websocket", "polling"],
auth: {
appId: "YOUR_APP_ID",
subscribeKey: "YOUR_SUBSCRIBE_KEY",
},
});
socket.emit("subscribe", "orders.42");
socket.on("subscribed", (p) => console.log("Joined", p.channel));
socket.on("order.updated", (data) => console.log(data));
The event you pass to /publish must match the string in
socket.on("…").
Set in .env:
REALTIME_SOCKET_URL=__BASE__ REALTIME_APP_ID=app_xxx REALTIME_PUBLISH_KEY=pk_live_xxx
Then call SocketPublisher::publish($channel, $event, $data) from your app.
POST /publish requests per minute per app (rolling window).X-App-Id and Authorization: Bearer <publish key>, not the subscribe key.auth: { appId, subscribeKey }; check origin and TLS.socket.on.