[Developers]

Realtime Connection Security

Every live channel on the platform, from dispatch event streams to responder push-to-talk, opens only for a verified session, receives only its own organisation's events, and closes promptly when access is revoked.

Category: ModulesLast Updated: Jul 16, 2026
modulesreal-time

Overview#

Every live channel on the platform, from dispatch event streams to responder push-to-talk, opens only for a verified session, receives only its own organisation's events, and closes promptly when access is revoked.

Emergency consoles, command dashboards, and field devices hold connections open for hours at a time, and a long-lived channel that outlives the session that opened it, or that leaks another agency's traffic, is a direct operational risk.

Realtime Connection Security is the platform-wide discipline applied to those channels. Live-update streams for operational pictures, collaborative documents, cross-region event relays, dashboards, the emergency console, and the responder mobile app all authenticate the connection itself, derive who is listening on the server side, and keep re-checking that the session is still valid for as long as the channel stays open. It serves security officers, multi-agency operations managers, and administrators who need live data to move fast without moving to the wrong audience.

Key Features#

  • Verified-Token Connection Authentication: Every live channel authenticates with a verified, correctly scoped realtime credential before it opens; malformed or unscoped credentials are rejected, and ambient cookie authentication has been removed from live endpoints to prevent cross-site connection hijacking. The dispatcher audio bridge applies the same gate before any audio socket opens.
  • Credentials in the Handshake, Never the Address: Realtime connection tokens ride inside the connection handshake, never in connection URLs where they could leak into logs or browser history.
  • Server-Side Tenant and Identity Derivation: Subscribe operations derive the subscriber's organisation and identity from the verified session and fail closed; publishing into a channel requires authorisation, and collaborative document sessions authenticate and tenant-scope every connection upgrade.
  • Per-Workspace Payload Slicing: Operational picture broadcasts are sliced per workspace, so a connection can only ever receive the events intended for its own organisation and workspace.
  • Continuous Session Re-Validation: Live connections re-validate the session every sixty seconds and disconnect immediately when the session is revoked, so deprovisioning a user cuts their live feeds within a minute.
  • Environment Isolation: Staging deployments connect to staging services and production to production, with guards against cross-environment drift and automated tests that keep the gating behaviour locked in.
  • Mobile Handshake and Endpoint Verification: Dispatch, communications, and push-to-talk sockets on the responder app confirm the server actually completed the authenticated handshake and disconnect immediately if it did not; server-supplied connection paths and room identifiers are validated against strict allow-lists, and the organisation requested for a dispatch channel is cross-checked against the signed session, with server-side enforcement remaining authoritative.
  • Validated Voice and Media Paths: Video elements accept only local media sources, never remote or script-bearing addresses; voice relay servers are filtered against a trusted allow-list before any call is set up, with the session aborted if none survive, and malformed incoming frames are logged with context rather than silently converted into synthetic events.

Cross-region publish and subscribe relays additionally require signed tokens and a publisher secret, and connection statistics endpoints are role-gated and tenant-scoped.

Use Cases#

  • Tenant Security Officer Assurance: A security officer can state with confidence that live call and event streams are only ever delivered to authenticated, authorised console sessions.
  • Multi-Agency Command Dashboards: An operations manager runs shared live dashboards across agencies knowing that no agency can see another's feed.
  • Rapid Deprovisioning: An administrator removing a departing user knows their live dashboards and feeds are disconnected within a minute, not at the end of a long-lived socket.
  • Tactical Teams on Untrusted Networks: Field teams operating on hostile or untrusted networks get fail-closed channel behaviour instead of silently degraded or spoofable connections.
  • Sensitive Live Collaboration: Teams co-edit sensitive documents in real time without cross-tenant exposure risk, because every collaboration session is authenticated and tenant-scoped at the moment it connects.

Integration#

Realtime Connection Security underpins the live surfaces documented elsewhere in the catalogue: the emergency call-taking console and its common operating picture, real-time dispatch and mobile push-to-talk, collaborative document workspaces, and live operational dashboards. It works hand in hand with session management, which governs how sessions are issued and revoked, and with multi-tenant access control, which defines the organisation boundaries the channel layer enforces on every subscribe. Administrators do not configure it per feature; the same connection gates apply automatically wherever the platform pushes live data.

Open Standards#

  • RFC 6455 (The WebSocket Protocol): Live event streams, dashboards, and collaboration channels run over standards-based socket connections, with authentication carried in the connection handshake rather than the connection address.
  • RFC 7519 (JSON Web Tokens): Connection credentials are signed, scoped tokens verified before any channel opens, consistent with the token model used across the platform's identity layer.
  • RFC 8445 (Interactive Connectivity Establishment): Responder voice sessions establish media paths using ICE, with candidate relay servers validated before any call is set up.
  • RFC 8656 (Traversal Using Relays around NAT): Only relay servers on a trusted allow-list are offered to the media stack, and the session is aborted if none survive validation.

Last Reviewed: 2026-07-16 Last Updated: 2026-07-16

Ready to Build?

Get started with our APIs or contact our integration team for support.