All Products
Search

This Product

    ApsaraVideo Live:Signed ingest and streaming URLs

    Document Center

    ApsaraVideo Live:Signed ingest and streaming URLs

    Last Updated:Mar 06, 2026

    To prevent malicious downloads and theft of site resources, you can configure a Referer blacklist or whitelist to identify and filter visitors. You can also use signed ingest and streaming URLs to better protect resources on your origin server. This topic describes how the URL signing feature works, how to configure the feature, and the usage notes.

    Signed URL Components

    Signed URLs are suitable for PCs, mobile devices, and third-party ingest and playback tools. They consist of an ingest URL or a streaming URL + an access token. An example follows:

    rtmp://push.aliyundoc.com/app/stream?auth_key=1740562218-0-0-183e22e*********

    The `auth_key` parameter is the Access Token.

    Structure of an access token

    timestamp-rand-uid-md5hash

    • timestamp: The UNIX timestamp, expressed in seconds. The final expiration time is determined by adding this value to the domain's URL signing validity period.

      If you use the URL generator in the ApsaraVideo Live console to generate a signed URL, the timestamp is the current time. In this case, the following formula applies: Expiration time = Current time + Validity period.

      If you construct a signed URL using the concatenation rules, you can specify the timestamp. For example, if you set the timestamp to the current time plus 3,600 seconds, the following formula applies: Expiration time = Current time + 3,600 seconds + Validity period. For example, if you set the timestamp to the current time, the following formula applies: Expiration time = Current time + Validity period.

    • rand: A random number, typically 0.

      To ensure each generated URL is unique, use a UUID format for the random number. The UUID cannot contain hyphens (-), such as: 477b3bbc253f467b8def6711128c7****.

    • uid: An additional parameter, not currently used, typically 0.

    • md5hash: The verification string calculated using the MD5 algorithm. It consists of a 32-character string of digits (0-9) and lowercase English letters (a-z).

      Encrypted content

      sstring = "URI-timestamp-rand-uid-PrivateKey" 
md5hash = md5sum(sstring)

      For example, if the ingest URL is rtmp://push.aliyundoc.com/app/stream, the string for encryption is /app/stream-timestamp-rand-uid-Domain authentication Key.

    How to Use

    To use signed URLs, you must enable the URL signing feature for your domain name. URL signing is enabled by default when you add a domain name for the first time. For more information, see Configure URL signing. You can generate a signed URL in the ApsaraVideo Live console or using the concatenation rules. For more information, see Generate ingest and streaming URLs.

    How it works

    After URL signing is enabled, the server verifies a request by performing the following operations:

    1. The server checks whether the timestamp in the request is earlier than the current time.

      • If the timestamp is earlier than the current time, the server considers that the signed URL expires and returns HTTP status code 403.

      • If the timestamp is later than the current time, the server constructs a string using the following sstring formula.

    2. The server uses the MD5 algorithm to calculate the hash value of the string and then compares the hash value with that contained in the request.

      • If the two values are the same, the authentication is successful. The server returns the live stream.

      • If the two values are different, the authentication fails. The server returns HTTP status code 403.

    The HashValue is derived from the following string:

    sstring = "URI-timestamp-rand-uid-PrivateKey"
HashValue = md5sum(sstring)

    Example

    • Assumption:

      1. A request is made for the object rtmp://demo.aliyundoc.com/video/standard**** using `req_auth`.

      2. You set the cryptographic key to aliyunliveexp1234, which is the primary key or secondary key configured in the ApsaraVideo Live console.

      3. The time when the signed URL is generated is 16:49:57 on May 28, 2021 (UTC+8).

      4. In the console, the validity period for the signed URL is set to 40 minutes.

      5. You set both the rand and uid fields to 0.

    • Result:

      1. The calculated UNIX timestamp of the signed URL is 1622194197, which is 17:29:57 on May 28, 2021 (UTC+8).

      2. The server constructs a signature string that is used to calculate the hash value.

        /video/standard-1622194197-0-0-aliyunliveexp1234

      3. The server calculates the hash value based on the signature string.

        HashValue = md5sum("/video/standard-1622194197-0-0-aliyunliveexp1234") = 5552ff52b5e4e20387c6dc18afce****

      4. The request URL is rtmp://demo.aliyundoc.com/video/standard****?auth_key=1622194197-0-0-5552ff52b5e4e20387c6dc18afce****

        Note

        The auth_key field indicates the access token that is included in the signed URL.

      5. The calculated HashValue matches the md5hash = 5552ff52b5e4e20387c6dc18afce**** value in the user's request. Authentication succeeds.

    Usage notes

    • By default, URL signing is enabled. We recommend that you keep this feature enabled to prevent your content from being pirated. If you want to disable URL signing, make sure that you understand the risks of unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing on the URL Signing page in the ApsaraVideo Live console.

    • You must manually set the auth_key field. ApsaraVideo Live provides no API operation for calculating the value of the auth_key field.

    • After you enable URL signing, you must add the auth_key field to the ingest and streaming URLs. Otherwise, live streams cannot be played. You cannot sign only the ingest URL or the streaming URL. You must sign them both.

    • Signed URLs remain valid before their expiration timestamp. You can access a signed URL anytime before it expires. ApsaraVideo Live does not support one-time signed URLs.

    • The value of the auth_key field is the MD5 value of the URI without the queryString fields. For more information, see the preceding section about setting URL signing parameters. The URIs of both the ingest and streaming URLs are AppName/StreamName. If the ingest URL is not confidential, we recommend that you set an expiration timestamp as near as possible. This prevents malicious access to the streaming URL.

    • For ingest and streaming URLs in the Real-Time Messaging Protocol (RTMP), FLV, and Real-Time Streaming (RTS) formats, requests are authenticated only when stream ingest or streaming begins. Ongoing stream ingest or streaming is not interrupted if the signed URL expires during the process.

    • For streaming URLs in the M3U8 format, requests are authenticated at the beginning of streaming and during streaming. Ongoing streaming is interrupted if the signed URL expires during the process.

    • If you want to dynamically control the validity period of signed URLs, you can use the relevant SDK to dynamically specify the AppName and StreamName parameters. For more information, see Sample code for URL signing.