MOQ Beta | Now Open For Enterprises / Learn More

Red5 Documentation

MOQ Authentication

MOQ authentication uses two independent layers. Both must pass for a client to publish or subscribe.

Architecture

Client                          Relay                       Red5 Pro Plugin
  |                               |                               |
  |-- SUBSCRIBE/PUBLISH --------> |                               |
  |   (AUTHORIZATION_TOKEN)       |                               |
  |                        [Layer 1: Token Validation]            |
  |                        CAT or Simple Token check              |
  |                               |                               |
  |                               |-- PublisherCreated Event ---> |
  |                               |   (includes authSubject)      |
  |                               |                    [Layer 2: JWT Validation]
  |                               |                    claims: sig, expiry, roles
  |<-- SUBSCRIBE_OK/PUBLISH_OK -- |                               |

Layer 1: Relay-Level Tokens

Validated during the MoQ control message exchange. The token is carried in the AUTHORIZATION_TOKEN parameter (0x03) of SUBSCRIBE, PUBLISH, and FETCH messages.

Token Wire Format

Per the MoQ Transport specification, the token structure supports aliasing:

Alias Type Value Fields Present
DELETE 0x0 Alias only
REGISTER 0x1 Alias, Type, Value
USE_ALIAS 0x2 Alias only
USE_VALUE 0x3 Type, Value (most common)

For typical use, send USE_VALUE (0x3) with Token Type and Token Value.

CAT Token (Common Access Token)

HMAC-SHA256 signed CBOR Web Token with MoQ-specific claims.

# conf/moq-plugin.properties

# Enable CAT authentication
auth.cat.enabled=true

# Base64-encoded shared secret for HMAC-SHA256 signature verification
auth.cat.shared.secret=YOUR_BASE64_SECRET

# Allow clients that send no token (useful during testing)
auth.cat.allow.anonymous=false

# Clock skew tolerance in seconds
auth.cat.expiration.tolerance=60

Simple Token

Shared secret passed as a plain string — negotiated out of band.

auth.simple.token.enabled=false
auth.simple.token.secret=YOUR_SHARED_SECRET

Layer 2: Plugin-Level JWT

After relay-level validation, the plugin validates a JWT using Red5 Pro’s simple-auth-plugin integration. Validated claims include: signature, expiry, roles, transport, and room.

JWT validation is configured through the simple-auth-plugin, not in moq-plugin.properties. Refer to the Authentication documentation for setup instructions.