reference

Authentication & session tokens

Every authenticated surface on the TRaX media plane accepts a session JWT: a short-lived, ES256-signed token minted by the TRaX platform. There are no long-lived shared secrets in the media path.

Access is operator-provisioned today. TRaX does not yet offer self-serve API-key or token issuance for third parties — session tokens are minted by the platform for its own applications, and for partners by hand. Self-serve issuance is a separate, tracked design effort. Until it ships, contact the TRaX team to get credentials.

Token shape

Session JWTs are compact JWS tokens, signed with ES256 (ECDSA P-256 + SHA-256).

Key claims:

Claim Meaning
iss trax-studio-api — the minting service
aud The consuming surface. Media-plane audiences: trax-mediamtx (SRT/RTMP publish + read), trax-mediamtx-talk (WebRTC talk/publish), trax-mediamtx-read (single-path WebRTC read)
action What the token authorizes: publish or read
path The exact stream path the token is bound to
exp Short TTL — tokens are minted per session/purpose, not stored

The action + path claims bind a token 1:1 to one operation on one path. A publish token for one path cannot read another path; token reuse across paths is rejected at the media edge.

Verifying TRaX tokens (JWKS)

The platform publishes its current signing keys at:

https://<trax-api-host>/.well-known/jwks.json

Standard JWKS semantics apply: match the token's kid header to a key in the set, verify the ES256 signature, then validate exp, iss, and the aud you expect. Keys are stable across service restarts; rotate-tolerant verifiers should refetch the JWKS on an unknown kid.

Where the token goes, per protocol

Protocol Token placement
SRT Inside the streamid: <action>:<path>:trax:<jwt> — see SRT streamid contract
RTMP / RTMPS URL userinfo: rtmp://<user>:<pass>@host/<path> — see RTMP contract
WHIP / WHEP Authorization: Bearer <jwt> header — see WHIP / WHEP

Stream keys

Some provisioned setups use a static stream key instead of a JWT (for encoders that can't mint tokens). A stream key rides in the same positions as the JWT (SRT streamid credential fields, RTMP userinfo). Treat stream keys like passwords: they are revocable by the platform but do not expire on their own.