How to secure stream with JWT Stream Security Filter

Published by Selim Emre Toy on

Try Live Demo

This blog post is one of the articles we have been looking forward to presenting to you. The newest feature of our secure stream series. We’ll be walking you through steps of how to enable and use the JWT Stream Security Filter.

How to enable JWT Stream Security Filter

You are able to enable or disable JWT Stream Security feature via our web management panel Dashboard / Application(LiveApp or etc.) / Publish/Play with JWT Filter for Stream.

Ant Media Server JWT Stream Security Filter

You can use JWT Stream Security Filter for both Stream Publishing and Playing. Once your enable it, then Publish/Play requests without JWT tokens will not be streamed.

After version 2.3 JWT Stream Security filter option in the Dashboard will be divided into two parts. There will be separate options for enabling/disabling JWT Stream Security for publishing and for playing. This separation of control on player and publisher side, will give you the flexibility to enable JWT Stream Security for  example only for players while having another type of security (or no security) for publishers or vice-versa.

Enable JWT Stream Security Filter

We are using JJWT Library for Ant Media Server Stream security. If you want to enable this filter, you just need to enable Publish/Play with JWT Filter for Stream and type the Secret key on web panel. Secret key encrypts with HMAC-SHA256 in JWT Stream Security Filter.

Generate Publish/Play JWT Token

Let’s assume that our secret key is zautXStXM9iW3aD3FuyPH0TdK4GHPmHq so that we just need to create a JWT token. Luckily, there are plenty of libraries available at Libraries for JWT for your development. For our case, we will just use Debugger at JWT.

JWT Token parameters

As shown above, we use HS256 as an algorithm and use our secret key zautXStXM9iW3aD3FuyPH0TdK4GHPmHq to generate the token. So that our JWT token to access the REST API is:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdHJlYW1JZCI6InN0cmVhbTEiLCJ0eXBlIjoicHVibGlzaCJ9.9otWqr4qTvh8afoBOifR9t9wkeaFQ3FcjMNtPuC2WKk

Generate Publish/Play JWT Token with Expiration Time

Even if it’s not necessary to have the payload, there are really useful options that can be used. For instance, you can use exp (expiration time) for JWT token. In order to get more information for the structure, please visit to Introduction to JWT. Let me give an example about JWT Token with Expiration Time.

JWT Token parameters with timestamps

As shown above, the expiration time of the token is Mar 08, 2021 02:14:08 GMT+3. It means that you can use the generated token until the expiration time. The unit of expiration time is unix timestamp. When it expires, the JWT token becomes invalid.

Generate Publish/Play JWT Token with REST API

You can also generate Publish/Play JWT Token with REST API. The Server creates JWT tokens with getJwtTokenV2 Rest Service getting streamId, expireDate and type parameters with query parameters. Service returns tokenId and other parameters. It is important that streamId and type parameters should be defined properly. Because tokenId needs to match with both streamId and type.

The sample JWT token creation service URL in Publish Scenario:

http://[IP_Address]:5080/<Application_Name>/rest/v2/broadcasts/<Stream_Id>/jwt-token?expireDate=<Expire_Date>&type=publish

The sample JWT token creation service URL in Play Scenario:

http://[IP_Address]:5080/<Application_Name>/rest/v2/broadcasts/<Stream_Id>/jwt-token?expireDate=<Expire_Date>&type=play

Expiration Date format is Unix Timestamp. Check also -> https://www.epochconverter.com/

RTMP URL usage:

rtmp://[IP_Address]/<Application_Name>/streamID?token=tokenId

Here is OBS setting for the JWT Stream Security Token:

OBS JWT Stream Security Configuration

Live Stream / VoD URL usage:

http://[IP_Address]/<Application_Name>/streams/streamID.mp4?token=tokenId
http://[IP_Address]/<Application_Name>/streams/streamID.m3u8?token=tokenId
http://[IP_Address]/<Application_Name>/play.html?name=streamID&playOrder=hls&token=tokenId

WebRTC Publish/Play usages:

Again the JWT token parameter should be inserted to publish the WebSocket message for both player and publisher. For further information you may want to check out the principles described in the WebRTC publishing wiki page for publisher side, and the WebRTC playing wiki page for player side.

-Playing usage: 

{
command : "play",
streamId : "stream1",
token : "tokenId",
}

-Publishing usage: 

{
command : "publish",
streamId : "stream1",
token : "tokenId",
}

You can also check our Community Session for stream security:

This feature is available in Ant Media Server 2.3+ versions.

You can see all Stream security docs in here.

Categories: Tutorial

Selim Emre Toy

Highly motivated full-stack developer with 6 years of experience especially in Java and Angular. Constantly learning, passionate about solving complex problems. Proficient in various programming languages and technologies. Enjoys finding creative solutions to challenges.

Related Posts

restream circle with media push plugin
Tutorial

Re-streaming Conference with Media Push Plugin

In today’s interconnected digital landscape, extending your conference’s reach to a global audience is more important than ever. Re-streaming your conference across several social media channels can greatly increase your message’s reach, engagement, and impact. Read more…

Web Player
Tutorial

How to Easily Integrate Ant Media Web Player into Your Project for Excellent Playback

The Web Player, developed by Ant Media, is a powerful live stream player specially designed to simplify the playback of server-hosted live streams. It supports various streaming protocols such as WebRTC, HLS, CMAF Dash, and Read more…

Ant Media Server Cluster using GCP Deployment Manager
Tutorial

Ant Media Server Cluster Deployment Simplified with Jinja Templates on GCP

In this guide, we’ll explore how to leverage Jinja Templates and GCP Deployment Manager to simplify the deployment of Ant Media Server clusters on GCP. We’ll delve into the fundamentals of Jinja Templates and GCP Read more…

chatsimple
Warning: Undefined array key "promocode" in /home/mirror.antmedia.io/public_html/wp-content/themes/hestia-child/footer.php on line 70