Join Tencent RTC at NAB Show 2024 in Las Vegas!
Learn more 
Only  $9.9! Get 50,000 minutes with our Starter Plan, perfect for your MVP project.
Only $9.9! Get 50,000 minutes with our Starter Plan, perfect for your MVP project.
Grab It Now 
Join Tencent RTC at NAB Show 2024 in Las Vegas!
Learn more 
Only  $9.9! Get 50,000 minutes with our Starter Plan, perfect for your MVP project.
Only $9.9! Get 50,000 minutes with our Starter Plan, perfect for your MVP project.
Grab It Now 
Features & Server APIs
  • On-Cloud Recording
  • Relay to CDN
  • RTMP Streaming with TRTC
  • Event Callbacks
    • Event Callbacks
    • Relay to CDN Callback
    • Verify Signature Example
  • Sending and Receiving Messages
  • Access Management
    • Overview
    • Manageable Resources and Actions
    • Preset Policies
    • Custom Policies
  • Enabling Advanced Permission Control
  • How to push stream to TRTC room with OBS WHIP
  • Server APIs
    • API Category
    • History
    • Making API Request
      • Request Structure
      • Common Params
      • Signature v3
      • Signature
      • Responses
    • Room Management APIs
      • SetUserBlockedByStrRoomId
      • SetUserBlocked
      • RemoveUser
      • DismissRoom
      • RemoveUserByStrRoomId
      • DismissRoomByStrRoomId
    • Call Quality Monitoring APIs
      • DescribeRoomInfo
      • DescribeUserEvent
      • DescribeCallDetailInfo
      • DescribeUserInfo
      • DescribeScaleInfo
    • Pull Stream Relay Related Interface
      • StartStreamIngest
      • StopStreamIngest
      • DescribeStreamIngest
    • On-cloud Recording APIs
      • CreateCloudRecording
      • DescribeCloudRecording
      • ModifyCloudRecording
      • DeleteCloudRecording
    • Stream Mixing and Relay APIs
      • UpdatePublishCdnStream
      • StartPublishCdnStream
      • StopPublishCdnStream
    • Usage Statistics APIs
      • DescribeTrtcUsage
      • DescribeRecordingUsage
      • DescribeMixTranscodingUsage
      • DescribeRelayUsage
      • DescribeTrtcRoomUsage
    • Data Types
    • Error Codes
    • Appendix
      • Event ID Mapping Table
Features & Server APIs

Enabling Advanced Permission Control


You may consider enabling Advanced Permission Control if you want to allow only specific users to enter a room or use their mics, but are worried that giving permissions on the client side makes the service vulnerable to attacks and cracking.
You do not need to enable advanced permission control in the following scenarios:
Scenario 1: You want an audience as large as possible and do not want to control access to rooms.
Scenario 2: Preventing client-side attacks is not your priority at the moment.
We recommend that you enable advanced permission control for enhanced security in the following scenarios:
Scenario 1: Your video or audio calls have high security requirements.
Scenario 2: You want to implement different access controls for different rooms.
Scenario 3: You want to control the use of mics by audience.

Supported Platforms


Understanding Advanced Permission Control

After you enable advanced permission control, TRTC will verify not only UserSig (the room entry ticket), but also PrivateMapKey (the permission ticket). The latter contains an encrypted roomid and permission bit list.
A user providing only UserSig but not PrivateMapKey will be unable to enter the specified room.
The permission bit list in PrivateMapKey uses the eight bits of a byte to represent different permissions for users holding PrivateMapKey.
Bit Sequence
0000 0001
Room creation
0000 0010
Room entry
0000 0100
Sending audio
0000 1000
Receiving audio
0001 0000
Sending video
0010 0000
Receiving video
0100 0000
Sending substream (screen sharing) video
1000 0000
Receiving substream (screen sharing) video

Enabling Advanced Permission Control

Step 1. Log in to the TRTC console and enable advanced permission control

1. In the TRTC console, click Application Management on the left sidebar.
2. In the application list, find the application for which you want to enable advanced permission control, and click Function Configuration.
3. In the Advanced Permission Control section, click the toggle next to Enable and then click Confirm to enable advanced permission control.

After you enable advanced permission control for an application (SDKAppid), all users using the application must pass privateMapKey in TRTCParams to enter a room (as described in Step 2 below). Therefore, you are not advised to enable the feature if you have active users using the application.

Step 2. Calculate PrivateMapKey on your server

PrivateMapKey protects the client from being reverse engineered and cracked and consequently prevents non-members from entering high-level rooms. Therefore, instead of calculating PrivateMapKey directly on your application, you should do so on your server and then return the result to your application.
We provide PrivateMapKey calculation codes for Java, GO, PHP, Node.js. Python, C#, and C++. You can download and integrate them into your server.
Programming Language
Key Functions
Download Link
genPrivateMapKey and genPrivateMapKeyWithStringRoomID
GenPrivateMapKey and GenPrivateMapKeyWithStringRoomID
genPrivateMapKey and genPrivateMapKeyWithStringRoomID
genPrivateMapKey and genPrivateMapKeyWithStringRoomID
genPrivateMapKeyand genPrivateMapKeyWithStringRoomID
genPrivateMapKey and genPrivateMapKeyWithStringRoomID
genPrivateMapKey and genPrivateMapKeyWithStringRoomID

Step 3. Distribute PrivateMapKey from your server to your application

As shown in the figure above, PrivateMapKey is calculated on your server and distributed to your application, which can then pass the PrivateMapKey to the SDK via two methods.

Method 1: passing PrivateMapKey to the SDK when calling enterRoom

You can set privateMapKey in TRTCParams when calling the enterRoom API of TRTCCloud.
This method verifies PrivateMapKey when users enter a room. It is simple and is used to assign permissions to users before room entry.

Method 2: updating PrivateMapKey to the SDK through an experimental API

During live streaming, when audience turn their mics on to co-anchor, TRTC will re-verify the PrivateMapKey carried in TRTCParams at the time of room entry. That means if you set a short validity period for PrivateMapKey, such as 5 minutes, the re-verification may fail and cause the audience to be removed from the room when they switch to the role of “anchor”.
To solve this issue, you can extend the validity period, for example, from 5 minutes to 6 hours or, before the audience call switchRole to switch to the role of “anchor”, apply for a new PrivateMapKey from your server and update it to the SDK by calling the experimental API updatePrivateMapKey. Below is the sample code:
JSONObject jsonObject = new JSONObject();
try {
jsonObject.put("api", "updatePrivateMapKey");
JSONObject params = new JSONObject();
params.put("privateMapKey", "xxxxx"); // Enter the new `privateMapKey`.
jsonObject.put("params", params);
} catch (JSONException e) {

NSMutableDictionary *params = [[NSMutableDictionary alloc] init];
[params setObject:@"xxxxx" forKey:@"privateMapKey"]; // Enter the new `privateMapKey`.
NSDictionary *dic = @{@"api": @"updatePrivateMapKey", @"params": params};
NSData *jsonData = [NSJSONSerialization dataWithJSONObject:dic options:0 error:NULL];
NSString *jsonStr = [[NSString alloc] initWithData:jsonData encoding:NSUTF8StringEncoding];
[WXTRTCCloud sharedInstance] callExperimentalAPI:jsonStr];

std::string api = "{\"api\":\"updatePrivateMapKey\",\"params\":{\"privateMapKey\":"xxxxx"}}";

std::string api = "{\"api\":\"updatePrivateMapKey\",\"params\":{\"privateMapKey\":"xxxxx"}}";


1. Why can't I enter any online room?

After you enable room permission control for an application (SDKAppid), users must pass PrivateMapKey in TRTCParams to enter any room under the application. Therefore, if your online business is running, and you haven’t integrated into it the privateMapKey logic, please do not enable room permission control.

2. What is the difference between PrivateMapKey and UserSig?

UserSig is a required parameter of TRTCParams, which is used to check whether the current user is authorized to use TRTC services and prevent attackers from stealing the traffic in your application (SDKAppid).
PrivateMapKey is an optional parameter of TRTCParams, which is used to check whether the current user is authorized to enter the specified room (roomid) and confirm the user’s permissions in the room. Use PrivateMapKey only if you need to distinguish users from one another.