Anti-Leech
Anti-Leech protects ingest endpoints and delivery streams from unauthorized use. LLS provides three authentication modes that operators can configure per domain. Each mode controls how stream tokens are validated before a push or playback request is accepted.
Authentication Modes
Default Authentication
Default Authentication generates a time-limited, MD5-encrypted token that is appended to the ingest URL. This mode provides a strong baseline security layer without requiring external infrastructure.
| Property | Details |
|---|---|
| Encryption | MD5 |
| Key length | 16 characters |
| Token validity | 24 hours |
| Configuration | Set the 16-character key in the domain's Anti-Leech settings |
The platform validates the token on each connection attempt and rejects any request with an expired or invalid token.
3rd-Party Token Authentication
3rd-Party Token Authentication delegates token validation to an external authentication service operated by the customer. When a stream push or playback request arrives, LLS forwards the request parameters to the customer's configured authentication endpoint. The external service returns an allow or deny decision.
This mode is suitable for organizations that require integration with existing identity and access management systems or need custom authorization logic beyond time-based expiry.
| Property | Details |
|---|---|
| Validation | Forwarded to the customer's authentication endpoint |
| Parameters | Custom query parameters passed through with the request |
| Flexibility | Full control over authorization logic at the customer's endpoint |
Non-Token Authentication
Non-Token Authentication disables token-based access control. Streams can be pushed to or played back from the domain without any token validation.
Non-Token Authentication is not recommended for production environments. Without token validation, any party with knowledge of the ingest or playback URL can push streams to or consume content from the domain. Use Default Authentication or 3rd-Party Token Authentication to protect production streams.
Ingest URL Format
When Default Authentication or 3rd-Party Token Authentication is enabled, the encoder or broadcasting software must include a valid token in the ingest URL. The standard ingest URL format is:
rtmp://{ingest_domain}/{app}/{stream}?token={token}&{custom_parameters}=...
| Placeholder | Description |
|---|---|
{ingest_domain} | The registered and active ingest domain |
{app} | The application name configured for the stream |
{stream} | The unique stream key identifying the individual stream |
{token} | The authentication token generated or provided by the authentication system |
{custom_parameters} | Optional additional query parameters required by 3rd-Party Token Authentication endpoints |
Configuring Anti-Leech
- In the LLS console, navigate to Domains.
- Locate the target ingest domain and click Config in the Operations column.
- Select the Anti-Leech tab.
- Choose the desired authentication mode.
- For Default Authentication, enter the 16-character encryption key.
- For 3rd-Party Token Authentication, enter the URL of the external authentication endpoint.
- Save the configuration.
Changes take effect immediately for new connection attempts.