Skip to main content

Generate and sign JWT's

Single channel auth

Example of signing a token using jsonwebtoken in TypeScript for single channel use.

import { sign } from "jsonwebtoken"

const expiresAfterSeconds = 60 * 60 * 2
// Get real secret from customer panel interface
const secret = "75442486-0878-440c-9db1-a7006c25a39f"
const authenticationToken = sign(
  {
    version: 2,

    channelId: "yourchannelid",

    scope: {
      playout: true
    },

    exp: Math.round(Date.now() / 1000 + expiresAfterSeconds),
  },
  secret
)

Channel group auth

Signing a token for a channel group is helpful as you may reuse the token for any channel belonging to that group. Here is an example of using jsonwebtoken in TypeScript for giving access to a channel group:

import { sign } from "jsonwebtoken"

const expiresAfterSeconds = 60 * 60 * 2
// Get real secret from customer panel interface
const secret = "75442486-0878-440c-9db1-a7006c25a39f"
const authenticationToken = sign(
  {
    version: 2,

    channelGroupId: "yourchannelgroupid",

    scope: {
      playout: true,
    },

    exp: Math.round(Date.now() / 1000 + expiresAfterSeconds),
  },
  secret
)

The signed token can be used for any channel authorization within that group.

Excluding channels within a group

Excluding channels from a group can be a great way of denying access during maintenance or temporary disruptions. Here is an example of using jsonwebtoken in TypeScript for giving access to a channel group but excluding a specific channel within that group:

import { sign } from "jsonwebtoken"

const expiresAfterSeconds = 60 * 60 * 2
// Get real secret from customer panel interface
const secret = "75442486-0878-440c-9db1-a7006c25a39f"
const authenticationToken = sign(
  {
    version: 2,

    channelGroupId: "yourchannelgroupid",
    excludeChannelIds: "notincludedid",

    scope: {
      playout: true,
    },

    exp: Math.round(Date.now() / 1000 + expiresAfterSeconds),
  },
  secret
)

With the above code, the following will not work, as the channel id was excluded according to the claims:

const vindral = new Vindral({
  authenticationToken: "your_signed_token",
  url: "https://lb.cdn.vindral.com",
  channelId: "notincludedid", // this channel id was excluded above
})

Authorizing ingress

Adding additional authorization to ingress is useful when providing a secure way of handling multiple broadcasters in custom integration. Note that you need the correct scope part in the claims for allowing ingest of a stream. Also, channelId is used instead of the private streamKey that is used normally (for ingress without JWT).

Here is an example of signing a token using jsonwebtoken in TypeScript for use with ingress (such as RTMP, SRT or our WebRTC Ingest SDK):

import { sign } from "jsonwebtoken"

const expiresAfterSeconds = 60 * 60 * 20
// Get real secret from customer panel interface
const secret = "75442486-0878-440c-9db1-a7006c25a39f"
const authenticationToken = sign(
  {
    version: 2,

    channelId: "yourchannelid",

    scope: {
      ingest: true,
    },

    exp: Math.round(Date.now() / 1000 + expiresAfterSeconds),
  },
  secret
)

Authorizing clipping

Here is an example of signing a token using jsonwebtoken in TypeScript to allow generating clips between two dates.

import { sign } from "jsonwebtoken"

const expiresAfterSeconds = 60 * 60 * 20
// Get real secret from customer panel interface
const secret = "75442486-0878-440c-9db1-a7006c25a39f"
const authenticationToken = sign(
  {
    version: 2,
    channelId: "yourchannelid",

    scope: {
      clipping: {
        from: "2024-01-01T00:00:00Z",
        to: "2024-01-02T00:00:00Z"
      }
    },

    exp: Math.round(Date.now() / 1000 + expiresAfterSeconds),
  },
  secret
)