Add token source API for fetching LiveKit tokens

[alan-george-lk]

Summary

• Adds new public API token_source.h, allowing users to now mint tokens using the following paths:
  • Literal: user-provided token (basically the legacy livekit-cli minted path)
  • Sandbox: enable a sandbox token server via LiveKit cloud, and allow users insecurely mint tokens (development only)
  • Endpoint: production-level server support
• Additional public API changes include:
  • room.h -> new ways to connect with tokens
  • room_delegate.h -> new callback with the new event
  • room_event_types.h -> new information-only event type when tokens are refreshed by the server (see below)

Server Token Refresh

LiveKit server token refresh existed before this feature, but this branch now adds support for the FFI event onTokenRefreshed.

New Dependencies

• libcurl4-openssl - used for HTTP token endpoint support
• nlohmann/json - JSON serialization/deserialization support for all configurable token source types

Testing

Validated through a combination of unit, integration, and standalone binary tester program against a LiveKit Cloud agent with a live token server.

Token Server Action

Integration tests now test against a basic token server implementation run in GitHub actions live (skipped locally).

Sandbox Token

Verified locally by connecting to a LiveKit cloud instance:

auto sandbox_token = livekit::SandboxTokenSource::fromSandboxId("<omitted but valid>");

And results printed below:

./build-release/bin/token_source_tester
...
Server URL: <omitted but valid>
Participant Token: <omitted but valid>
Participant Name: efficient-sensor
Connected to room
Local participant: cpp-test-a

[xianshijing-lk]

might need help to understand the TokenSource a bit more

[MaxHeimbrock]

I am using the tokensource sandbox and it is working fine for me 👍

[xianshijing-lk]

lgtm with some comments, please address them.

Great work!!!

[xianshijing-lk]

@1egoman , could you please help review this token-lifecycle.md ?

[alan-george-lk]

I actually generated this for him while I had some active LLM context around this topic, I removed it as I don't want this SDK to be an authoritative documentation source compared to docs.livekit.io.

I do think we should have some better docs around token source and lifetimes, while going through this process it felt a little disjointed and agents/frontend-focused and not just a general document for token source terms, functions, lifecycles, etc for client SDKs.

[xianshijing-lk]

nit, would you consider forward declare those types, and move the #include "livekit/token_source.h" to the cpp ?

One benefit for it is that it could speed up the build.

[alan-george-lk]

Added

[xianshijing-lk]

nit, just do "virtual ~TokenSourceFixed() = default" here and remove the cpp line

The same for virtual ~TokenSourceConfigurable() = default;

[alan-george-lk]

Added

[xianshijing-lk]

consider a helper function like

namespace {

template <typename FetchFn>
bool connectWithTokenSource(Room& room, const RoomOptions& options, FetchFn&& fetch) {
  Result<TokenSourceResponse, TokenSourceError> details =
      Result<TokenSourceResponse, TokenSourceError>::failure(TokenSourceError{"token source not invoked"});

  try {
    details = fetch().get();
  } catch (const std::exception& e) {
    LK_LOG_ERROR("Room::connect failed: token source threw: {}", e.what());
    return false;
  } catch (...) {
    LK_LOG_ERROR("Room::connect failed: token source threw unknown exception");
    return false;
  }

  if (!details) {
    LK_LOG_ERROR("Room::connect failed: token source error: {}", details.error().message);
    return false;
  }

  const auto& value = details.value();
  return room.connect(value.server_url, value.participant_token, options);
}

} // namespace

Then these two function can become:

bool Room::connect(TokenSourceFixed& token_source, const RoomOptions& options) {
  return connectWithTokenSource(*this, options, [&] {
    return token_source.fetch();
  });
}

bool Room::connect(TokenSourceConfigurable& token_source,
                   const TokenRequestOptions& request_options,
                   const RoomOptions& options) {
  return connectWithTokenSource(*this, options, [&] {
    return token_source.fetch(request_options, false);
  });
}

[1egoman]

FWIW, we opted not to do this in other sdks, and determined this was the session api's job. Relevant pull request: livekit/client-sdk-js#1677

[alan-george-lk]

Added!

[xianshijing-lk]

any idea why CustomTokenSource will skip the force_refresh ?

[alan-george-lk]

This comment actually led to an API design change, see here: e39e55e

Having such an argument for a custom source would require passing that argument along to the custom implementation, which felt weird as the custom token source was just a user function that could decide anything it needed to. I have instead dropped force_refresh entirely, and opted for caching_token_source.invalidate() which matches how Swift/Android do it.

In short, this original design around forcing refresh was modeled after JS with the force_refresh. But JS actually goes for an inheritance-based approach to cacheing token sources, vs. here which is using a decorator (Swift/Android do it this way), so forcing refresh was consistent across all sub-classes and didn't have an awkward drop like this did.

It was basically a divergence in both approaches (force + decorator vs. force + inheritance), now it's more aligned to Swift/Android.

[xianshijing-lk]

any reason why we want to run the inner_->fetch() under the lock ?

Will it be safer to do ?

{
  std::scoped_lock lock(mutex_);
  if (!force_refresh && cached_details_ && cached_options_ &&
      tokenRequestOptionsEqual(*cached_options_, *options_snapshot) &&
      isParticipantTokenValid(cached_details_->participant_token)) {
    return TokenSourceResult::success(*cached_details_);
  }
}

auto result = inner_->fetch(*options_snapshot, force_refresh).get();

[alan-george-lk]

Holding the mutex over the fetch is how JS and Swift do it, I'm open to your change but it would be a divergence

[xianshijing-lk]

isn't the endpoint_ created in line 210 already ? any reason why it needs to be re-created ?

[alan-george-lk]

Great catch, this slipped through. Now have a private constructor that accepts an already made endpoint so both the public and test access versions can avoid recreation

[xianshijing-lk]

question, does path need to include lpszExtraInfo ? like when lpszExtraInfoLength > 0 ?

[alan-george-lk]

Addressed

[1egoman]

Generally looks good to me, and I think matches the interfaces on other sdks pretty well!

[1egoman]

nitpick: in other sdks (for example, web) this was just called deployment. I like this agentDeployment name better though and had brought it up during the review process when it was added recently but I think it got missed. It might be worth changing this for consistency, idk.

[alan-george-lk]

Android and Swift (which this largely models) both use agentDeployment. So I think it's a 50/50 consistency roll of the dice 🤔

[1egoman]

Ugh I hadn't realized it was so fragmented 😧