Try Live Demo

The Time-based One-time Password algorithm (TOTP) is the recently implemented stream security mechanism in Ant Media Server. This can provide tokens that are valid for a time period. Publishers or players should use these tokens in time to be able to publish or play.

What is a Time-based One-Time Password (TOTP)?

Time-based One-Time Password (TOTP)

The Time-based One-time Password algorithm (TOTP) is an extension of the HMAC-based One-time Password algorithm (HOTP) that generates a one-time password (OTP) by instead taking uniqueness from the current time. You can find more on TOTP here.

How to use TOTP in Ant Media Server

We define a publisher or player as a subscriber. If time-based token enabled, a subscriber should be created for the stream to able to publish or play. Each subscriber has an ID and a code. When a subscriber requests to publish or play a stream, he should provide his ID and time-based token generated for his code. Otherwise, the server doesn’t accept the publish or play request.

Enabling TOTP and Related Settings

You can enable Time-based One-Time Password (TOTP) using Management Panel or in the configuration file as settings.timeTokenSubscriberOnly=true You can also set the TOTP period in seconds in the configuration file as settings.timeTokenPeriod=60

Subscriber REST Operations

You should create subscribers and assign them a base 32 secret to each subscriber. A secret should be in the length of multiple of 8 characters. You can create, delete, and list subscribers using REST API as in the following curl samples:

Create Subscriber

curl -X POST -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers -d '{"subscriberId":"publisherA", "b32Secret":"mysecret", "type":"publish"}'


curl -X POST -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers -d '{"subscriberId":"playerB", "b32Secret":"mysecret", "type":"play"}'

Delete subscriber

curl -X DELETE -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers/publisherA

Delete all subscribers

curl -X DELETE -H "Accept: Application/json" -H "Content-Type: application/json" http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers

List All Subscribers

curl -i -H "Accept: Application/json" -X GET "http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscribers/list/0/5"

What is Time-based one-time password (TOTP) Usage

Time-based one-time password (TOTP) Usage

Publish/Play Stream

A subscriber (publisher or player) should pass subscriber id and generated TOTP to publish or play.

Publish URL

http://localhost:5080/WebRTCAppEE/?subscriberId=publisherA&subscriberCode=​ 440456

Player URL

http://localhost:5080/WebRTCAppEE/?subscriberId=playerB&subscriberCode=​ 438610

Subscriber Statistics

You can get the stats for each subscriber with the following REST method.

curl -i -H "Accept: Application/json" -X GET "http://localhost:5080/WebRTCAppEE/rest/v2/broadcasts/stream1/subscriber-stats/list/0/5"

The response contains the following stats for the subscribers:

  • Connection/Disconnection events with timestamp
  • Average Video Bitrate
  • Average Audio Bitrate

When to use TOTP?

If you want to let only authenticated users publish to or play from your Ant Media Server, you may consider using TOTP. You can provide tokens to users for a restricted period. Also if you need the statistics for the user you can also use TOTP token.

In this post, we introduced the Time-based One-Time Password (TOTP) and usage in Ant Media Server for stream security. You can find about the other mechanisms for stream security from this post.

Useful Links

You can try Ant Media Server for free with all features!

You can download native Android and iOS WebRTC SDKs and integrate them into your applications for free!

Ant Media Server Github Wiki

You would want to check WebRTC Network Measurement Test Tool introduction, Setting up an Ant Media Server Scaling Solution with CloudFormation in 5 Minutes.

We are always with you for all your questions. You can reach us via

Categories: Tutorial

Burak Kekeç

Burak has been a Software Developer at Ant Media since its beginning in 2017. Overall he has 16 years of expertise in software development experience with C, C++, Java EE, and Android.