Private channel
A private channel is a Pusher-protocol channel type that requires a signed auth token before a client can subscribe. Channel names use the private- prefix. The service refuses subscribe frames that lack a valid token signed with the app secret.
Why it matters
Private channels are the access-control surface of a real-time app. Without them, any client connected to the WebSocket service could subscribe to any named channel by guessing the name and receive every event broadcast on it. With them, the application server is the gatekeeper: it inspects the requesting session, decides whether the user is authorized to receive events on the channel, and signs a token only if the answer is yes.
This pattern keeps real-time authorization aligned with the rest of the application. The auth callback runs inside the same HTTP request lifecycle as the rest of the app, so it has the user session, the database, the policy layer, and whatever else the application uses to make access decisions.
How it works
The handshake follows the channel auth flow.
- Client opens a WebSocket connection. The service issues a
socket_id. - Client calls
pusher.subscribe("private-user-42-notifications"). The SDK POSTs to the configured auth endpoint withsocket_idandchannel_namein the body. - The application server inspects the session, checks authorization for that channel, and returns a JSON body containing an
authfield of the form<app-key>:<hmac-signature>. The signature is HMAC-SHA256 ofsocket_id:channel_namekeyed with the app secret. - The client includes the signature in the
pusher:subscribeframe. The service verifies the signature against the channel name and socket ID, and either accepts the subscription or returnspusher:subscription_error.
A minimal Laravel auth route:
Broadcast::channel('user-{userId}-notifications', function ($user, $userId) {
return (int) $user->id === (int) $userId;
});The Laravel Broadcasting service maps the private-user-42-notifications channel to that closure, runs it, and either signs the token or returns 403.
Related terms
- Presence channel is the same auth model plus a member roster.
- Public channel is the no-auth counterpart.
- Channel auth is the signed handshake private channels rely on.
See also
- /learn/websockets-in-laravel for the Laravel BroadcastServiceProvider routes that gate private channels.
- /migrate/pusher-to-vask-laravel for how the auth callback stays unchanged across a host swap.
- What is a private channel?
- A private channel is a Pusher-protocol channel type that requires a signed auth token before a client may subscribe. Channel names start with the private- prefix. The service rejects subscribe frames that arrive without a valid token.
- How does auth work on a private channel?
- The client requests an auth token from the application's auth endpoint, passing the channel name and the connection's socket ID. The server signs both with the app secret and returns the signature. The client includes the signature in the pusher:subscribe frame.
- When should I use a private channel instead of a public channel?
- Whenever the channel carries data scoped to a specific user, team, or document. The auth callback is your enforcement point: deny the auth request to deny the subscription.
