Authentication & session tokens
Every authenticated surface on the TRaX media plane accepts a session JWT: a short-lived, ES256-signed token minted by the TRaX platform. There are no long-lived shared secrets in the media path.
Access is operator-provisioned today. TRaX does not yet offer self-serve API-key or token issuance for third parties — session tokens are minted by the platform for its own applications, and for partners by hand. Self-serve issuance is a separate, tracked design effort. Until it ships, contact the TRaX team to get credentials.
Token shape
Session JWTs are compact JWS tokens, signed with ES256 (ECDSA P-256 + SHA-256).
Key claims:
| Claim | Meaning |
|---|---|
iss |
trax-studio-api — the minting service |
aud |
The consuming surface. Media-plane audiences: trax-mediamtx (SRT/RTMP publish + read), trax-mediamtx-talk (WebRTC talk/publish), trax-mediamtx-read (single-path WebRTC read) |
action |
What the token authorizes: publish or read |
path |
The exact stream path the token is bound to |
exp |
Short TTL — tokens are minted per session/purpose, not stored |
The action + path claims bind a token 1:1 to one operation on one path. A
publish token for one path cannot read another path; token reuse across paths is
rejected at the media edge.
Verifying TRaX tokens (JWKS)
The platform publishes its current signing keys at:
https://<trax-api-host>/.well-known/jwks.json
Standard JWKS semantics apply: match the token's kid header to a key in the
set, verify the ES256 signature, then validate exp, iss, and the aud you
expect. Keys are stable across service restarts; rotate-tolerant verifiers
should refetch the JWKS on an unknown kid.
Where the token goes, per protocol
| Protocol | Token placement |
|---|---|
| SRT | Inside the streamid: <action>:<path>:trax:<jwt> — see SRT streamid contract |
| RTMP / RTMPS | URL userinfo: rtmp://<user>:<pass>@host/<path> — see RTMP contract |
| WHIP / WHEP | Authorization: Bearer <jwt> header — see WHIP / WHEP |
Stream keys
Some provisioned setups use a static stream key instead of a JWT (for encoders that can't mint tokens). A stream key rides in the same positions as the JWT (SRT streamid credential fields, RTMP userinfo). Treat stream keys like passwords: they are revocable by the platform but do not expire on their own.