Enabling read/write permissions in a JWT token does not imply setting read/write permissions on a feed.
Auth and permissions work differently server-side than on the frontend. Backend is considered a trusted environment where client-side applications are not considered safe and require more checks. JWT tokens are client-side tokens that allow performing API calls on behalf of a user.
Therefore, once unique auth tokens are provided for all your users, and Stream will perform permission checks to enforce security and avoid abuses.
These permission policies are defined by default. Here are two main examples of default permissions behaviors :
- A user can perform any operations (read, write, update...) on feeds that he owns (user_id matching)
- A user who follows a feed can only read activities on that feed
You can find information about permissions in our documentation: https://getstream.io/docs/auth_and_permissions/?language=js
You are looking for creating a feed where all your users should be able to perform read or/and write operations?
If that is the case, you need to change permissions policies for the concerned feed group to set it as a global read/write feed. As described in our documentation (https://getstream.io/docs/auth_and_permissions/?language=js#how_to_change_permissions), in that case, you will need to reach out to
firstname.lastname@example.org with the application ID, feed group name, (one of) the email address(s) registered with your app organization, and requested permission change to global read or read/write.