How to secure your Ant Media Livestreams?

Where necessary, you may need to have access to a VPS server so you can follow how to implement the steps in this article.  You can get a cheaper VPS Server from Contabo with 4vCPU cores, 8GM RAM, and 32TB Bandwidth for less than $5.50 per month. Get this deal here now

Table of Contents

Cloud VPS S

$5.50 Monthly
  • 4 vCPU Cores | 8GB RAM


$15.50 Monthly
  • 6 vCPU Cores | 16GB RAM


$17.50 Monthly
  • 8 vCPU Cores | 24GB RAM

There are a couple of ways to protect your Ant Media streams. In this blog, we would like to to hold your hand so we can take you through each step

Web Panel IP filter

Ant Media Server provides IP filtering for accessing the web panel. By default, the web panel is open to all IP addresses, but you can filter IP addresses by CIDR notation. Here is a simple step-by-step guide to change this configuration.

Find this file /usr/local/antmedia/conf/ and open it.

The default configuration allows all IPs to access the web panel. So, you need to find the line below in the red5.propperties file you’ve opened.


As we said earlier, the default settings are set to all IPs just like in the line above CIDR=

Now, you can make the changes according to your CIDR notation such as:


You can add as many CIDR notations as you want and make sure to separate them with commas. Save the file and restart the server.

Now only the IP’s that are in the CIDR block you’ve added can access the web panel.

Publisher IP filter

A Publisher in this context is anyone who utilizes Ant Media Server to broadcast live videos or streams. To add an extra layer of security to your server, you can choose to whitelist the publisher IP addresses that are allowed to broadcast streams to it.

So, Ant Media has a publisher IP filter feature you can use to enforce this security mechanism and prevent unauthorized players from publishing content to your server.

To trigger this feature, you need to find and edit the file, which is located in the directory path that looks like this: /usr/local/antmedia/<app name>WEB_INF/

Now, we need to use the settings.allowedPublisherCIDR to whitelist the CIDR block for the publishers allowed to publish streams on our server. For example, assuming we needed to whitelist IPs:[0-255] and, our settings would look like this below:


Allowing multiple IPs separated by commas is acceptable when editing this feature. And after you’ve edited your desired configurations, you can restart your Ant Media server as usual.

JWT Security Token

JWT, which stands for JSON Web Token, is a widely adopted open standard that facilitates the exchange of security information between a client and a server. The information is stored in a JWT as encoded JSON objects, which include a set of claims. To prevent unauthorized alterations to the claims once the token is issued, JWTs are signed using a cryptographic algorithm.

Now, Ant Media allows you to protect your streams by using the JWT stream security filter feature, which is found in the Dashboard/LiveApp or any other app you’ve created for your streams. You can either enable or disable this feature right from your Ant Media Dashboard as seen in the image below:

CREDIT: Image from Ant Media

When you trigger the JWT Stream Security Filter for Stream Publishing and Playing, the Publish/Play requests without JWT tokens won’t be accepted.

Generating the Secret Key and Token for JWT Filter

The Ant Media JWT filter feature for streams requires a Secret Key which is then needed for the Token to be generated. A Secret key is private to you which means you will never reveal it to the public. You can generate the Secret Key from the Ant Media Dashboard under the JWT security filter feature (as described earlier).

Once you have the Secret key, we will use it to generate the token. A JWT token is a JSON object that has been signed and includes information that allows the receiver ( media server) to verify and authenticate the identity of the request sender (client).

The way this works is that, when a client sends a request to access a media stream on Ant Media server, it must include a JWT token in the request header. This token contains information such as the user’s identity and the requested permissions.

Ant Media server verifies the token to ensure that it has been issued by; a trusted source, has not expired, and has not been tampered with. If the token is valid, Ant Media grants the requested permissions to the client or sender, allowing them to access the requested media stream

So, what we need is to use a library like Debugger at JWT to generate our token using the Secret key we’ve created from the Ant Media Dashboard. Inside the Dubugger at JWT, we can use an algorithm like HMAC SHA256 to generate the token as seen below:

  • Set up the header: The header has two parts: the type of token, which is JWT, and the type of signing algorithm which is SHA256 in our case. For example, the header setup looks like this:
  "alg": "HS256",
  "typ": "JWT"

From the above, "alg" represents an algorithm used and "typ” represents the type of token, which is JWT.

  • Payload: The payload represents the stream token parameters like the token expiration time. However, the payload section may not be so important for this authorization, and you just leave it as shown in the code below:
  "streamId": "put your stream Id here",
  "type": "publish"

  • Verify the Signature: This is critical in checking to see if the message wasn’t changed along the way. The signed tokens with a secret key are used to verify that the sender of the JWT is who it says it is. The signing process is completed as seen below;

  base64UrlEncode(header) + "." +
  Place your Secret Key Here
  )secret base64 encoded

You can replace [ Place your Secret Key here ] with your actual Secret Key you generated earlier inside Ant Media.

So, if you’ve written everything correctly, you will be able to generate the required token as seen in the image below:

CREDIT: Image from Ant Media

Generate JWT Token with Expiration Time

You can add the expiration parameter in the payload section so that the generated token can be used up to the expiration time you’ve defined. See the code below:

  "streamId": "put your stream Id here",
  "type": "publish",
  "exp": "expiration time"

You need to generate the expiration time using the unix timestamp tool and generate a format like this:1678835579.

Assuming you want the expiration time to be April 08, 2023, 02:14:08 GMT+3, we can use the Unix timestamp to generate the format we need as seen below in the image

Now, it’s critical and extremely important that parameters like streamId and type are defined correctly and properly as the tokenid needs to match with them.

Generating Tokens with REST API

You can use the Ant Media getJwtTokenV2 REST API service to generate tokens with defined parameters like streamId, expireDate and type

For example, if you needed to create a JWT token service URL in Publish Scenario with defined parameters, here is the sample;


On the other hand, if you need to create a JWT token creation service URL in Play Scenario, here is the sample:


Please note that the Expire Date format is Unix Timestamp. You can check here how to convert the time in this format

How to use the JWT token in Ant Media Streams

You can use the generated tokenId by appending it to the end of the appropriate URL of either the publisher or play stream. For example,

  • RTMP url token Id integration
  • HLS/ VoD & Embedded Player Usage

WebRTC Publish/Play Token ID integration

For a Play stream, you have to put the JWT token parameter to play WebSocket message as seen below:

command : "play",
streamId : "stream1",
token : "tokenId",

For a Publish WebRTCP stream, the JWT token parameter integration should look as follows;

command : "publish",
streamId : "stream1",
token : "tokenId",

More Ant Media Server articles to explore

Hire us to handle what you want

Hire us through our Fiverr Profile and leave all the complicated & technical stuff to us. Here are some of the things we can do for you:

  • Website migration, troubleshooting, and maintenance.
  • Server & application deployment, scaling, troubleshooting, and maintenance
  • Deployment of Kubernetes, Docker, Cloudron, Ant Media, Apache, Nginx,  OpenVPN, cPanel, WHMCS, WordPress, and more
  • Everything you need on AWS, IBM Cloud, GCP, Azure, Oracle Cloud, Alibaba Cloud, Linode, Contabo, DigitalOcean, Ionos, Vultr, GoDaddy, HostGator, Namecheap, DreamHost, and more.

We will design, configure, deploy, or troubleshoot anything you want. Starting from $10, we will get your job done in the shortest time possible. Your payment is safe with Fiverr as we will only be paid once your project is completed.