Enabling read/write permissions in a JWT token does not imply setting read/write permissions on a feed.
Auth and permissions work differently server-side than on the front end. The backend is considered a trusted environment where client-side applications are not considered safe and require more checks. JWT tokens are client-side tokens that allow performing API calls on behalf of a user.
Therefore, once unique auth tokens are provided for all your users, Stream will perform permission checks to enforce security and avoid abuses.
These permission policies are defined by default. Here are two main examples of default permissions behaviors :
- A user can perform any operations (read, write, update...) on feeds that he owns (user_id matching)
- A user who follows a feed can only read activities on that feed
You can find information about permissions in our documentation: https://getstream.io/docs/auth_and_permissions/?language=js
Are you looking for creating a feed where all your users should be able to perform read or/and write operations?
If that is the case, you need to change permissions policies for the concerned feed group to set it as a global read/write feed. As described in our documentation (https://getstream.io/docs/auth_and_permissions/?language=js#how_to_change_permissions), in that case, you will need to reach out to https://getstream.io/contact/support/ with the application ID, feed group name, (one of) the email address(s) registered with your app organization, and requested permission change to global read or read/write.