PubSub JWT Token signing not working

I’m trying for ours to send a message with pubSub through my EBS but alway getting these 403 JWT could not be verified errors.
I’ve seen that many peoply are struggling with this but none of the mentioned solutions in similar posts are working for me.
I’m signing my token like this:

    const serverTokenDurationSec = 30; 
    const payload = {
        exp: Math.floor( / 1000) + serverTokenDurationSec,
        user_id: `${userId}`,
        channelId: `${channelId}`,
        role: 'external',
        pubsub_perms: {
            listen: ['broadcast'],
            send: ['*']
    return jwt.sign(payload, secret);

the secret is base64 decoded and i don’t know what i am doing wrong.

What does the rest of your code look like? JWT generation is only part of whats going on here.

I think the problem here is that you have a listen in there and a technically invalid send of *

As for

broadcast is expected and a * rule might not match

To send to a single channel

  "exp": 1503343947,
  "user_id": "27419011",
  "role": "external",
  "channel_id": "27419011",
  "pubsub_perms": {

heres an example, which talks to the global segments of pubsub and config services

I’ve done some changes as you suggested but it’s still giving me the same error.
This is what i have now:

function sendContributionBroadcast(contributor) {
    console.log("sending contribution broadcast");
    const channelId =;
    const token = makeServerToken(channelId);
    const headers = {
        'Client-ID': i,
        'Content-Type': 'application/json',
        'Authorization': `Bearer: ${token}`
    const body = JSON.stringify({
        content_type: 'application/json',
        message: JSON.stringify(contributor),
        targets: ['broadcast']
            method: 'POST',
        }, (err, res) => {
            if (err) {
            } else {

function makeServerToken(channelId) {
    console.log(`makeServerToken( channelId: ${channelId} )`);
    const serverTokenDurationSec = 60; 
    const payload = {
        "exp": Math.floor( / 1000) + serverTokenDurationSec,
        "user_id": `${channelId}`,
        "channelId": `${channelId}`,
        "role": 'external',
        "pubsub_perms": {
            "send": ['broadcast']
  return jwt.sign(payload, secret);

OK never mind, after posting my code i realized that i have a “:” after the Bearer part that was to mutch. But now i get the error: wrong channel requested.

We should migrate you to the new endpoint as the one you are calling is deprecated

The extension is installed to channelId?

And to be clear, you wrote the extension and the extension is installed to your own channel? (Just checking to confirm the test scenario)


“channelId”: ${channelId},

Should be

“channel_id”: ${channelId},

in your JWT construct

You are truly a god. Man thank you so much for your help. Finally it’s working. My last mistake was as you mentioned, the missing underscore at channel_id.


Make sure you move to the new endpoint as well!

You mean this one: ?


It also has a different format on the body so don’t get caught out!

JWT generation is the same

The broadcaster_id that is now needed at the new endpoint is the channel id right?


Nice, i migrated to the new endpoint, made the changes you’ve mentioned and still working. Tank’s a lot and have a nice day or night depending on where you are in the world.