edit-icon download-icon

Live authentication

Last Updated: Jan 15, 2018

URL authentication function aims to protect the user’s website content from the illegal or malicious activity.

It is a safe and reliable anti-theft mechanism that protects site resources by coordinating Alibaba Cloud CDN acceleration node with customer resources site. The customer site provides customer with an encrypted URL (including authentication information), which the user then uses to make a request to the acceleration node. The acceleration node verifies the authentication information in the encrypted URL to determine the validity of the request (that is, whether to respond normally to a valid response or refuse an invalid response), thus effectively protecting customer site resources.

Note: The authentication function is enabled by default for the newly created domain name since Janurary 1, 2018. You can adopt the authentication by default, or custimize it on the Apsaravideo Live console.

Authentication URL composition


Live streaming address/playaddress+verification string, the verification string is caculated according to md5 algorithm by usingauthentication key+expiration time. This address is applicable to PC end, mobile end, third-party streaming and play tools.

  • The Auth KEY field can be set by the user,

  • If the Expire time in which user visits customer source server exceeds the self-defined time (timestamp field designation), the authentication is invalid. For example, if the expire time is 1800s, and the user sets the visit time as 2020-08-15 15:00:00, the link expires at 2020-08-15 15:30:00.

URL authentication concept

Encrypted URL component
  1. http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash
Authentication field description
Field Description
timestamp expire time, positive integer, fixed length 10, seconds measured from 1970-01-01. Used to control expire time, integer of 10 digit, expire time 1800s.
rand random number, usually set to 0
uid not used yet (set to 0)
md5hash verification string caculated according to md5 algorithm, lowercase letters and digits are supported, fixed length 32

When the server receives the request, it first determines whether the timestamp in the request is shorter than the current time. If it is shorter, then the expire time is thought to be invalid and it returns an HTTP 403 error. If the timestamp is longer than the current time, then a same string is structured (refer to the following composition mode of sstring). The server then calculates the HashValue according to MD5 algorithm, and compares this value with md5hash in the request. If the values are the same, then the authentication is successful; otherwise, it returns an HTTP 403 error.

HashValue is calculated with the following strings,

  1. sstring = "URI-Timestamp-rand-uid-PrivateKey"URI is the address corresponding to the user's request object, not including parameters,for example:/Filename)
  2. HashValue = md5sum(sstring)
  1. Pass req_auth request object

    1. http://cdn.example.com/video/standard/1K.html
  2. Set the key to: aliyuncdnexp1234 (set by the user)

  3. The expire time of authentication is 2015-10-10 00:00:00, the seconds calculated is: 1444435200.

  4. The server structures a signature string used to calculate Hashvalue

    1. /video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234
  5. The server calculates HashValue according to the signature string

    1. HashValue = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
  6. The URL, when making a request, is

    1. http://cdn.example.com/video/standard/1K.html?auth_key=1444435200-0-0-80cd3862d699b7118eed99103f2a3a4f

    The calculated HashValue is consistent with md5hash = 80cd3862d699b7118eed99103f2a3a4f in the user’s request, and the authentication succeeds.

    Note: We recommend that the streaming address performs encryption and authentication operations for enhanced security.


  • Authentication by default.

    The authentication function is in the Opened state by default. The Main KEY is abcd1234,and the Expire time is 1800s. The authentication expires if the time exceeds 1800s.

    1. Log on to the ApsaraVideo Live console.

    2. Click Domains in the left-side navigation pane.

    3. Select the region.

    4. Select the domain name, and click Detail at the right side.


    5. In Base Information > Center streaming information, click Go to generate authentication URL at the right side of Authentication settings.


    6. In the Generate authentication URL page, click Start to generate.

      Note: A demo streaming URL is generated in the Original URL field, the playback address is custimized according to your playing requirement. If you want to set a new custom AppName and StreamName, you need to replace the AppName and StreamName in the streaming URL with the AppName and StreamName you customize respectively, and then generate authentication URL.

    7. Click to copy the generated URL authentication address.


    8. Click OK.

      The generated Authentication URL rtmp://video-center.alivecdn.com/AppName/StreamName?vhost=videolive-en.aliyun.com&auth_key=************** can be used for streaming and playback.

      Note: The authentication is set at the domain name level. If the authentication function is enabled under the domain name, all the streaming addresses under the domain name must perform authentication operation. Meanwhile, the playback address corresponding to the streaming address must perform authrntication. We recommend that you use the authentication URL for playback operation.

  • Customize authentication

    If you don’t adopt the configration by default, you can also customize Main KEY, Standby KEY, Expire time, AppName and StreamName, and then generate Authentication URL for streaming and playback.

    1. In Base Information > Center streaming information, click the 2icon at the right side of Authentication settings.

    2. In the Authentication settings page, customize the Main KEY, Standby KEY, and Expire time and click OK.



      • Main KEY is a key for calculating encrypted string. If the Main KEY is changed, all addresses using the Main KEY instantly becomes invalid. If the Standby KEY is changed to the Main KEY, the streaming or playback address using the Main KEY does not become invalid instantly, but uses the Standby KEY as a mechanism for performing the switch.
    3. Click Go to generate authentication URL at the right side of Authentication settings to set the AppName and StreamName on the Generate authentication URL page.

      Original URLrtmp://video-center.alivecdn.com/AppName/StreamName?vhost=videolive-en.aliyun.com, wherein,

      • Thevideo-center.alivecdn.comis a server of the live video center and can be customized. For example, if your domain name isvideolive-en.aliyun.com(Note: This domain name cannot be the same with your CDN domain name), you can set the DNS and point your domain name CNAME tovideo-center.alivecdn.com.

      • AppNameis the app name. This parameter can be customized.

      • StreamNameis the stream name. This parameter can be customized.

      • Thevhostparameter specifies a domain name for eventual playback on an edge node, namely your live video CDN domain name.

Thank you! We've received your feedback.