Authentication

ConoStream uses JWT (JSON Web Tokens) for secure room access. Tokens are generated server-side and contain permissions for each participant.

How It Works

User requests to join a room from your app
Your backend generates a JWT token with room permissions
App uses the token to connect to ConoStream server
Server validates token and grants access

Token Structure

A ConoStream token contains the following claims:

{
    "exp": 1234567890,        // Expiration timestamp
    "iss": "APIxxxxxxxx",     // Your API Key
    "sub": "user_123",        // Unique participant ID
    "name": "John Doe",       // Display name
    "video": {
        "room": "my-room",      // Room name to join
        "roomJoin": true,       // Permission to join
        "canPublish": true,     // Can publish audio/video
        "canSubscribe": true    // Can receive streams
    }
}

Permission Types

Permission	Description	Use Case
`roomJoin`	Can join the room	All participants
`canPublish`	Can publish audio/video tracks	Host, Co-host
`canSubscribe`	Can receive other's streams	All participants
`canPublishData`	Can send data messages	Chat, gifts, etc.

Role-Based Tokens

Host Token

// Full permissions - can publish and receive
{
    "video": {
        "roomJoin": true,
        "canPublish": true,
        "canSubscribe": true,
        "canPublishData": true
    }
}

Audience Token

// View-only - cannot publish
{
    "video": {
        "roomJoin": true,
        "canPublish": false,
        "canSubscribe": true,
        "canPublishData": true
    }
}

Token Generation (Server-Side)

PHP Example

use Firebase\JWT\JWT;

function generateToken($room, $userId, $name, $canPublish) {
    $apiKey = 'your-api-key';
    $apiSecret = 'your-api-secret';

    $payload = [
        'exp' => time() + 3600,
        'iss' => $apiKey,
        'sub' => $userId,
        'name' => $name,
        'video' => [
            'room' => $room,
            'roomJoin' => true,
            'canPublish' => $canPublish,
            'canSubscribe' => true
        ]
    ];

    return JWT::encode($payload, $apiSecret, 'HS256');
}

Node.js Example

const jwt = require('jsonwebtoken');

function generateToken(room, userId, name, canPublish) {
    const apiKey = 'your-api-key';
    const apiSecret = 'your-api-secret';

    return jwt.sign({
        iss: apiKey,
        sub: userId,
        name: name,
        video: {
            room: room,
            roomJoin: true,
            canPublish: canPublish,
            canSubscribe: true
        }
    }, apiSecret, { expiresIn: '1h' });
}

Using Tokens in Android

// Fetch token from your backend
public void joinRoom(String roomName, boolean isHost) {
    apiService.getToken(roomName, userId, isHost)
        .subscribeOn(Schedulers.io())
        .observeOn(AndroidSchedulers.mainThread())
        .subscribe(response -> {
            String token = response.getToken();
            manager.connect(serverUrl, token, listener);
        });
}

⚠️

Security: Never expose your API secret in client code. Always generate tokens on your backend server.