Protect DDP with a login



I made a DDP API for external access to a DB, how can i protect this API with Token or Username Password?

Can i detect when the Client due a request or a third party client due a request?

thanks for help


just use Meteor.loginWithPassword


do you have a example?


Check out the docs on the accounts package and this page


yes, sure. u can use asteroid

Meteor = new Asteroid($ // meteor backend

Users = Meteor.getCollection('users')

// event
Meteor.on('login', function(){
 Users.reactiveQuery({}).result[0] // you loggen user
Meteor.loginWithPassword(, user.pass).then(function(result){
      // redir
}, function(error){


ok thanks for help i try this.


The easiest way would be to check for a token on the server and reject it if there’s no match:

  getSecrets: function(docId, token) {
    if (token !== 'secret123') {
       throw new Meteor Error(401, 'not authorized');
    return Secrets.findOne(docId);

You should also not hard code in the private token. If it’s for internal use you can put in in your meteor settings and then check against Meteor.settings.your_secret_token instead of 'secret123'.

If the consumer is a registered user and they’re on the client then you can check for a userId instead

  getSecrets: function(docId) {
    // if logged in with user/pass on client this.userId will be their id
    // using roles package
    if (Roles.userIsInRole(this.userId, ['view-secrets','admin'])) {
      return Secrets.findOne(docId);
    else {
      throw new Meteor Error(401, 'not authorized');