# Tokens

With tokens you can control user's access to the room. You can set properties like user's role, username and avatar. Highly recommended is to set a token validity interval, so the token is valid only for a period of time when the meeting will be conducted - see the **exp** (expires) and **nbf** (not-before) in the full [properties](https://docs.digitalsamba.com/reference/rest-api/tokens/properties) list.

Tokens are obligatory for **private** rooms, and they are also needed in **public** rooms if you have more than one role in the room and need to specify with which role should the user enter.

{% hint style="info" %}
**Private** room means no one can enter the room without a token. They are much more secure than public rooms. **Public** room means everyone who knows the URL of the room can enter inside. We highly recommend to use **private** rooms for sensitive meetings. On the other hand **public** rooms could be easier to start with and be useful if you don't need high security or if you are just trying out the app.
{% endhint %}

Tokens are using the highly popular [JWT](https://jwt.io/) standard (JSON Web Tokens). 

You will be [creating and signing ](https://docs.digitalsamba.com/reference/rest-api/tokens/create)the tokens in the backend using your team **developer key** which can be found in the [dashboard](https://dashboard.digitalsamba.com/team).

{% hint style="danger" %}
Tokens should never be generated in client-facing code like frontends, because your secret developer key will become publicly visible. \
\
Tokens are cryptographically signed data, NOT encrypted. Do not put information which should not be seen by the users into the tokens.
{% endhint %}