Skip to main content

Security

In this section you will be able to change how the tickets that a customer uses to join a call are created and managed by our security module.

A ticket is a 6-or-9 random character id that is used to give access to an unauthenticated user to an auvious call. A shareable link that is created by an agent carries the ticket in the URL like this https://auvious.video/t/<ticket>.

By default, an invitation link that is generated by the agent carries a ticket that is reusable. This means that this ticket can be used more than one times by one or more users to join a room within a 4-hour period. Once 4 hours pass from the time the ticket was created, it is expired and no-one can re-join the room.

There are options to change this and make a ticket be used only once. This means once a user follows a link and joins a room, the ticket is automatically expired. The same user can re-join the call if he/she refreshes the browser page but a new user or the same user in a new browser cannot reuse the same url.

This option applies to tickets that are created by the agent and by tickets that are created by auvious in appointments.

You also have the ability to change the default 6-character ticket to a 9-character.

info

Co-browse tickets are always a 6-character tickets.

Security

Custom domain URL

Here you can provide a custom base url that will be used to hide https://auvious.video from customers. This means that all customer links will instead use the provided custom domain url. Please make sure that you include https://, e.g. https://custom.example.com. For this setting to actually work you will need to already have setup a simple Reverse Proxy service, with the following specifications:

  • Proxy incoming requests to https://auvious.video using HTTP 1.1 protocol
  • Serve incoming HTTPS requests at port 443
  • Use a valid SSL certificate, signed by some well known certificate authority
  • Add X-Forwarded-For and X-Forwarded-Proto headers

Nginx and HAProxy are two popular free and Open Source reverse proxy servers which you could use.

Access Token

By default, the access tokens of the auvious user, either an agent or a customer, are stored in the sessionStore of the browser. The sessionStore is destroyed once the tab is closed. This means it persists during tab refreshes. If, for some reason, you would like not to keep any tokens in the browser, you can disable the option both for the customer and the agent. This means that the agent will have to re-authenticate on each tab refresh. Same for the customer.

If for some reason your authentication provider does not allow redirects, we also support popups for authentication. Just enable this option and don't forget to also allow popups in your browser.

danger

If you have enabled a single-use link for customers in "link settings" and have disabled the sessionStore, the customer will not be able to join the call if they refresh the browser page.