I used this article to implement Wowza Secure token on my server and it works as expected. However the article said that “Each connection is protected by a random single-use key and a password (shared secret).” I do not find that to be the case. If a user does a view source on my page and copies the stream url, he can easily play it back using other players. Is it possible to make the stream url truly singly use, so that if one connection has been established using that url, all other requests using the same stream url will be denied.
You are correct, the single-use word is wrongly used in the sentence you pointed out. I will contact our documentation team and have this corrected.
However, only the playback client using the correct playback URL can play the protected streams. It is true that a more technical user can find the secure token playback URL, but you can always restrict the playback to a specific Client IP. Since you are generating the secure token dynamically, you can include the IP address of the user loading your player into the string used for hashing. In the Secure Token settings, you can set to use the Client IP in the hash generation as well on the server side.
This way, if a user is sharing the playback URL generated for his client IP, the same playback URL won’t work for a different client since it will have a different IP address.
Also, you can specify a start and end time for how long the secure token key is valid. If a user requests the stream out of the validity period, his playback will fail.