Skip to main content

Overview

Ant Media Server supports multiple authentication mechanisms:
  • One-time tokens - Random tokens with expiration
  • JWT tokens - Industry standard JSON Web Tokens
  • TOTP - Time-based One-Time Passwords for subscribers

Generate One-Time Token

Generate a random one-time token for a specific stream.
GET /v2/broadcasts/{id}/token
curl -X GET "https://example.com:5443/LiveApp/rest/v2/broadcasts/stream1/token?expireDate=1735689600&type=publish" \
  -H "Authorization: Bearer {jwt}"
id
string
required
Stream ID to generate token for
expireDate
integer
required
Token expiration time in Unix timestamp (seconds)
type
string
required
Token type: publish or play
roomId
string
Room ID if token is for a conference room
tokenId
string
Generated token ID
streamId
string
Stream ID this token is valid for
expireDate
integer
Token expiration timestamp
type
string
Token type (publish/play)

Generate JWT Token

Generate a JWT token for a stream. Generally JWT tokens should be generated on the client side.
GET /v2/broadcasts/{id}/jwt-token
curl -X GET "https://example.com:5443/LiveApp/rest/v2/broadcasts/stream1/jwt-token?expireDate=1735689600&type=publish" \
  -H "Authorization: Bearer {jwt}"
id
string
required
Stream ID to generate JWT token for
expireDate
integer
required
Token expiration time in Unix timestamp (seconds)
type
string
required
Token type: publish or play
roomId
string
Room ID if token is for a conference room
Response: Same as one-time token response.

Validate Token

Validate if a token is still valid and not expired.
POST /v2/broadcasts/validate-token
curl -X POST "https://example.com:5443/LiveApp/rest/v2/broadcasts/validate-token" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer {jwt}" \
  -d '{
    "tokenId": "token123",
    "streamId": "stream1",
    "expireDate": 1735689600,
    "type": "publish"
  }'
tokenId
string
required
Token ID to validate
streamId
string
required
Stream ID associated with the token
expireDate
integer
required
Token expiration timestamp
type
string
required
Token type (publish/play)
success
boolean
true if token is valid, false otherwise

List Tokens

Get all tokens for a specific stream.
GET /v2/broadcasts/{id}/tokens/list/{offset}/{size}
curl -X GET "https://example.com:5443/LiveApp/rest/v2/broadcasts/stream1/tokens/list/0/10" \
  -H "Authorization: Bearer {jwt}"
id
string
required
Stream ID to list tokens for
offset
integer
required
Starting point of the list
size
integer
required
Number of tokens to return (max: 50)
Response: Array of token objects.

Revoke All Tokens

Remove all tokens associated with a stream.
DELETE /v2/broadcasts/{id}/tokens
curl -X DELETE "https://example.com:5443/LiveApp/rest/v2/broadcasts/stream1/tokens" \
  -H "Authorization: Bearer {jwt}"
id
string
required
Stream ID to revoke tokens for
success
boolean
true if tokens were revoked successfully

TOTP Authentication

For subscriber-based authentication, Ant Media Server supports Time-based One-Time Passwords (TOTP).

Get TOTP for Subscriber

GET /v2/broadcasts/{id}/subscribers/{subscriberId}/totp
curl -X GET "https://example.com:5443/LiveApp/rest/v2/broadcasts/stream1/subscribers/subscriber123/totp?type=play" \
  -H "Authorization: Bearer {jwt}"
id
string
required
Stream ID
subscriberId
string
required
Subscriber ID to generate TOTP for
type
string
Type: publish or play. Used if subscriber is not in database
success
boolean
Indicates if TOTP was generated successfully
message
string
The generated TOTP code (6 digits)

How TOTP Works

If the subscriber is registered in the database with a b32Secret:
  • TOTP is generated using the subscriber’s secret
  • Custom expiry period is used if set, otherwise global setting applies
If the subscriber is NOT in the database:
  • Secret is generated from AppSettings: {secretFromSettings} + {subscriberId} + {streamId} + {type} + {padding}
  • Uses global timeTokenPeriod setting

Subscriber Authentication Token

Get a JWT authentication token for a subscriber (for push notifications).
GET /v2/push-notification/subscriber-auth-token
curl -X GET "https://example.com:5443/LiveApp/rest/v2/push-notification/subscriber-auth-token?subscriberId=sub123&timeoutSeconds=3600" \
  -H "Authorization: Bearer {jwt}"
subscriberId
string
required
Subscriber ID to generate token for
timeoutSeconds
integer
Token validity duration in seconds (default: 3600)
success
boolean
Whether token generation succeeded
dataId
string
The generated JWT token
message
string
Description of the response

Build docs developers (and LLMs) love

Get started for freeTalk to us