You have a streaming project for a limited audience or just want to stream personally, however, may have some concerns about its reachability. The one-time token method is one of the effective authentication methods for secure video streaming. Ant Media Server offers one-time token security control option with 1.5.0 version.
The Parameters of the Token for Secure Video Streaming
There are 4 parameters of the token, tokenId, streamId, expireDate and type.
- tokenId: Generated a random string from service
- streamId: The Id of the resource that the user wants to reach
- expireDate: The expiration date of the token (Use Unix Timestamp, such as 1560771964)
- type: Either publish or play token
- roomId: : The room id for playing streams in the conference room.
The Steps for Token Control Mechanism
Step 1. Enable Setting
Firstly, the setting should be enabled in the management panel.
If One-Time Token control option is active, then all publish and play requests should be sent with a token parameter.
Step 2. Create a Token
The Server creates tokens with getToken Rest Service getting streamId, expireDate and type parameters. Therefore it is important that streamId and type parameters should be defined properly. Because tokenId needs to match with both streamId and type.
Step 3. Request with Token
The system controls token validity during publishing or playing.
RTMP Publishing: You need to add a token parameter to RTMP URL before publishing. Sample URL:
WebRTC Publishing: Token parameter should be inserted to publish WebSocket message. For details about WebRTC WebSocket messaging please visit wiki page.
Live Stream/VoD Playing: Same as publishing, the token parameter is added to URL. Sample URL:
WebRTC Playing: Again the token parameter should be inserted to play WebSocket message. Please have a look at the principles described in the wiki page.
Step 4. Evaluation of the Token
Ant Media Server evaluates based on its properties to secure your streams. Whether it is valid for the requested stream or not is controlled. Another important control process is checking the type of the token. Because the developer or administrator may give access to a user to play a stream but not publish to this stream even with the same streamId.
Once the token is successfully validated by Ant Media Server, then it is removed from the database so that other requests with the same token will be dismissed. Since consecutive requests are sent during playing/accessing streams, the session information saved after the one-time token is consumed.
Please have a look at the documentation for further information.
Contact us if you have any questions or suggestions with the contact form or email contact [at] antmedia.io