Flussonic Media Server documentation

Securing Access to Streams (Authorization with Token)

In this article we will show an example of how authorization can be implemented without writing your own backend.

The authorization system works as follows:

  • Your website generates a token by using a simple formula and hashes it with the secret key.
  • Client opens a stream that has this token.
  • Flussonic generates a token string (using a stream name and the client's IP address) and hashes it by using the same secret key.
  • If the hash sums match, then playback is allowed. Otherwise – no access to the stream.

Configuring Flussonic for using authorization with tokens Anchor Anchor x2

On the Flussonic side you need to set only one string – the path to the 'securetoken' script and set a secret key.

The auth directive can be configured for a certain stream or as a global setting:

stream example-stream {
  url fake://fake;
  auth securetoken://SECRETKEY;

Code to a website Anchor Anchor x2

Flussonic must know these values to generate a token:

  • Client's IP address
  • Stream name
  • Secret key
  • Current timestamp

Code on a website should collect values to one string with the order:

string = streamname + ip + starttime + endtime + secretkey + salt

The token created as follows:

sha1(string) + salt + endtime + starttime


  • starttime and endtime is a unixtimestamp when the token is valid. Usually, starttime is a current time and endtime is current time + few hours.

  • salt is a random string.

PHP example Anchor Anchor x2


$flussonic = 'http://flussonic-ip'; // flussonic address
$key = 'SECRETKEY'; // key from flussonic.conf file. KEEP IT IN SECRET
$lifetime = 3600 * 3; // 3 hours after link will be invalid

$stream = $_GET['stream']; // this script get streamname from a query string (script.php?stream=bbc)

$ipaddr = $_SERVER['REMOTE_ADDR'];
$desync = 300; // allowed time desync between flussonic and hosting servers in seconds
$starttime = time() - $desync;
$endtime = $starttime + $lifetime;
$salt = bin2hex(openssl_random_pseudo_bytes(16));

$hashsrt = $stream.$ipaddr.$starttime.$endtime.$key.$salt;
$hash = sha1($hashsrt);

$token = $hash.'-'.$salt.'-'.$endtime.'-'.$starttime;
$link = $flussonic.'/'.$stream.'/embed.html?token='.$token;
$embed = '<iframe allowfullscreen style="width:640px; height:480px;" src="'.$link.'"></iframe>';

echo $embed;

Rails example Anchor Anchor x2


Rails.application.routes.draw do
  get '/securetoken/:id', to: 'securetoken#index'


class SecuretokenController < ApplicationController

  def index

    flussonic = 'http://flussonic-ip'
    secret = 'SECRETKEY'

    streamname = params[:id]
    lifetime = 3600 * 3
    starttime = Time.now.to_i - 300
    endtime = Time.now.to_i + lifetime
    salt = rand(8**8).to_s(8)

    hash = Digest::SHA1.hexdigest(streamname + request.remote_ip + starttime.to_s + endtime.to_s + secret + salt)
    token = hash + '-' + salt + '-' + endtime.to_s + '-' + starttime.to_s
    @url = flussonic + '/' + streamname + '/' + 'embed.html?token=' + token


<iframe allowfullscreen style="width:640px; height:480px;" src="<%= @url %>"></iframe>