@rbartlet & @BarryCarlyon thanks for answer guys, that cleared up things a lot! 
Meantime I started developing my extension and was wondering about using my own web-socket connection, instead of using PubSub’s web-socket. I was reading in an other thread:
where it says, that it’s fine to use web-sockets for the communication between the EBS and extension, as long as it’s uses TLS. I’m using the extension boilerplate sample provided by Twitch,
let options = {
key : fs.readFileSync('../certs/testing.key'),
cert : fs.readFileSync('../certs/testing.crt')
};
var server = https.createServer(options, app);
where the server uses node’s ‘https’ module and established a HTTP protocol over TLS/SSL. On the client side for the web-socket connection, I use socket.io and connect to it like this:
var socket = io.connect("wss://localhost:8080 ", {
reconnection: true,
transports: ['websocket']
});
This connection is will be secure, using ssl encryption.
It says in the documentation that, it is best practice, whenever I communicate with my EBS, to send the JWT and verify it using my extension’s shared secret. Will this way of implementing the server-client communication through socket.io secure enough, or do I also need to include the JWT, even when I only emit events between server & client? I’m a bit confused here…
Follow up question: Since I want use a second panel, I created a second extension (basically I just added another .html page to my extension boilerplate and referenced the url in twitch of my second extension), which uses the same mechanics as stated above. This means that each client on my channel will establish two socket-connections, one for each extension, but with the same endpoint, my EBS. Is this fine or does this cause a problem, which I am not aware of? Hope you can shed some light on the matter…
Once again, here is a screenshot:
