Can I use Pusher Channel Authentication with Web Framework CSRF Protection?


The Pusher JavaScript client library makes an authentication AJAX request when subscribing to a Private or Presence channel. This AJAX request is done in the form of a POST request.

By default a POST request from JavaScript is intercepted and forbidden with a 403 response with many web frameworks such as Ruby on Rails and Laravel as it will be seen as a Cross-site Request forgery attempt.


The solution depends on the client library that you are using:


Parameters to be sent along with the authentication request can be set in the Pusher constructor options parameter.

var pusher = new Pusher('app_key', {
  auth: {
    params: {
      CSRFToken: 'some_csrf_token'

An alternative is to use jsonp authentication, as this is made using a GET request so shouldn't be treated as CSRF attempt. See


The documentation for setting HTTP headers for libPusher can be found here:


The documentation for setting HTTP headers for pusher-websocket-java can be found here:

Still have questions? Please reach out to our Support team by visiting this page.

Last updated