Self-signed Subscribe Tokens

The Real-Time Streaming APIs supports the ability to self-sign subscribe tokens without having to make an API call. Self-signing the token locally, allows you to generate your subscribe token more efficiently. The self-signed token is a user generated JWT that is generated from a subscribe token. The subscribe token functions as a parent token, and any self-signed token generated from this token will inherit any restrictions or parameters that are specified when the subscribe token is created. The self-signed token can be passed to the Real-time Streaming service, similarly to any subscribe token, but is then validated against the subscribe token that was used to sign it.

Self-signing your subscribe token allows you to:

  • Sign the subscribe token locally in the language of your choice
  • Reduce the number of API calls to protect your streams

Note: Self-signed tokens are not revokable and if you want to bind it to an IP address, you will have to specify the IP address during the subscribe token creation.

For more information, see Subscribe Tokens and Managing Your Subscriber Tokens.

In a future release, Real-Time Streaming APIs will support the ability to track end user metrics using a trackingId for syndicated content across multiple partners or providers.

Creating a self-signed token

  1. Create a subscribe token using the Create Token API. The API returns the tokenId and token.
  2. Create a JWT with the following data:
    • tokenId: The ID of the (primary) subscribe token
    • streamName: a complete, non-wildcard streamName that the subscriber will be allowed access to view
    • allowedOrigins (optional): origins that allow the stream to be viewed from
    • allowedIpAddresses (optional): IP ranges that allow the stream to be viewed from
  3. Sign the JWT using the subscribe token as the key and set an expiration for the JWT.

Examples of self-singing a token can be found at this GitHub repository.