How to Configure Per-Channel Static Token-Based RTMP Authentication on Wowza

Wowza Streaming Engine
1

Hello, Wowza Community,

I’m working on a multi-channel live-streaming platform where users can create their own channels. The platform requires the following setup:

  1. SecureToken Setup:
  • On Edge Server: SecureToken V2 is active and currently using time-based tokens (?wowzatoken with expiration and hash).
  • On Origin Server: SecureToken V1 is configured to manage connections with the Edge server.
  1. New Requirement:
  • Each user should receive a unique RTMP URL with a static token that does not expire, e.g.:
rtmp://192.168.1.1/folder?token=N3U2DWNU9E23JNDJ9N923DJN2890J2890JN28092
  • This token should allow the user to stream on their specific channel. Without the correct token, streaming should be denied.
  • The same token will always be valid for that channel, even after server restarts or reconfigurations.
  1. Key Constraints:
  • The platform will host a large number of channels and tokens, so the configuration must be scalable.
  • The Edge server should always connect to the same primary Origin server URL for processing.

My Questions:

  1. Token-Based Authorization for RTMP Publishing:
  • How can I configure Wowza to check for a static token in the RTMP URL for each channel and validate it before allowing publishing?
  • Is there a module or custom development approach to make this happen?
  1. Efficient Management of Tokens:
  • Since the system will host many channels, is there a way to store and validate tokens dynamically (e.g., using a database or external API)?
  • What would be the best practice to integrate such a system into Wowza for high performance?
  1. Edge-to-Origin Connection:
  • With SecureToken V2 already active on the Edge, should I adjust the current SecureToken settings between the Edge and Origin to ensure compatibility with the new token-based publishing requirement?
  1. Custom Modules:
  • Would a custom Wowza module be the best approach for implementing this per-channel static token validation? If so, are there any example modules or guidelines to use as a starting point?

Configuration Details:

  • Origin Server SecureToken: SecureToken V1
  • Edge Server SecureToken: SecureToken V2 with expiration
  • Example Workflow:
    • User creates a channel → Platform generates a unique token for that channel → User streams using rtmp://192.168.1.1/folder?token=... → Wowza validates the token and starts the stream if valid.

Any help or guidance on how to achieve this setup would be greatly appreciated!

Thanks in advance

2

A good example is the Wowza module called “wse-plugin-banstreams” on github. This shows how to block publish of an rtmp or rtsp stream. You could extend it to talk to some back end API or DB

Scott Kellicker
Streaming Video Consultant

3

I think an easier way to do this, without any changes needed on the Wowza side, is to use the optional wowzatokenendtime (or start time) as a username for each unique user.

Make sure to set the end time well in the future (so it lasts basically forever to meet your request or in the past if start time) and then generate the hash (token) using that end/start time in your client app. You’ll need to do that anyway outside of Wowza. That application will determine whether the user has access to the channel and then using their “username” generate the hash (with the salt) and pass everything to the wowza stream. If you want additional security, include the ip address.

This should do exactly what you want.