Last update:2026-07-02 17:32:06
Access Control lets you control who can access live streams by filtering requests by client IP, HTTP Referer, HTTP User-Agent, signed URL token, or a remote authentication server. Rules can be scoped to a directory, file type, or URL pattern, and each rule can use a priority value to determine evaluation order when more than one rule matches a request.
It includes the following controls:
| Control | What it filters | Protocols |
|---|---|---|
| IP Access List | Client IP address or CIDR block | All |
| Referer Access List | HTTP Referer header |
HLS, DASH, HTTP-FLV, WebRTC |
| User-Agent Access List | HTTP User-Agent header |
HLS, DASH, HTTP-FLV, WebRTC |
| Token Authentication | Signed token and timestamp in the URL | All |
| Remote Authentication | Your own auth server’s decision | All |
IP Access List allows or blocks requests based on the client IP address or CIDR block.
| Option | Target | Scope value format |
|---|---|---|
| Specific Directory | Files under the specified path | Path starts and ends with /. Enter one path per line. Example: /live/ |
| Specific File Type | Files with the specified extension | Enter extensions without dots, separated by semicolons (;). Example: flv;m3u8;ts |
| URL Pattern (Regex) | URLs that match a regular expression | Enter the URL path regular expression. Example: live/.*\.(m3u8\|flv)($\|.*) |
Important: Only one allowlist rule is supported. If you need to allow multiple entries, add all entries to the same allowlist rule.
;). The field supports up to 65,535 characters, which is about 3,000 IP addresses.10.Referer Access List allows or blocks requests based on the HTTP Referer header. Use it to restrict which websites can embed or link to your live streams.
Important: Only one allowlist rule is supported. If you need to allow multiple entries, add all entries to the same allowlist rule.
Choose the input mode:
Enter Referer values based on the selected mode.
Domain/URL List mode
| Field | Format | Example |
|---|---|---|
| Blocked/Allowed Referers (Domain Only) | Domain names without http:// or https://, one per line |
www.example.com |
| Blocked/Allowed Referers (Full URL) | Full URLs starting with http:// or https://, one per line |
https://www.example.com/player |
Regular Expression mode
| Field | Required | Format | Example |
|---|---|---|---|
| Blocked/Allowed Referers (Regex) | Yes | Regular expressions, one per line | ^https?://www\.example\.com/.* |
Referer header are allowed.10.User-Agent Access List allows or blocks requests based on the HTTP User-Agent header.
Important: Only one allowlist rule is supported. If you need to allow multiple entries, add all entries to the same allowlist rule.
10.Token Authentication requires playback URLs to include a signature and expiry timestamp. The CDN validates the signature and timestamp before allowing access.
| Field | Required | Default | Description |
|---|---|---|---|
| Signature Parameter Name | No | token |
URL query parameter that carries the signature. |
| Timestamp Parameter Name | No | time |
URL query parameter that carries the expiry timestamp. |
| KEY | Yes | — | Signing key. If you enter multiple keys, separate them with semicolons (;). |
| Timestamp Format | Yes | UNIX Timestamp | Timestamp format. Options include UNIX Timestamp and Hexadecimal. |
| Expiration Time | Yes | — | Token validity duration in seconds. Maximum: 31536000. |
| Signature Components | Yes | KEY+PATH+TIME |
Order used to concatenate the key, URI path, and timestamp before generating the signature. |
| Option | Concatenation order |
|---|---|
KEY+PATH+TIME |
key → URI path → timestamp |
KEY+TIME+PATH |
key → timestamp → URI path |
PATH+KEY+TIME |
URI path → key → timestamp |
PATH+TIME+KEY |
URI path → timestamp → key |
TIME+PATH+KEY |
timestamp → URI path → key |
TIME+KEY+PATH |
timestamp → key → URI path |
Remote Authentication forwards request information to your authentication server and allows or denies access based on the server response.
Note: Remote Authentication is not available for HLS origin-pull domains.
https://auth.example.com/api/check?service=live.| Option | Behavior |
|---|---|
| Retain all | Forward all query parameters from the original request URL. |
| Delete all | Do not forward original query parameters. |
| Retain specified | Forward only the specified query parameters. |
| Variable | Default parameter name | Description |
|---|---|---|
| Client IP | ip |
Client IP address. |
| Stream Name | streamName |
Live stream name. |
| Stream Type | type |
Stream protocol type. |
| HOST | host |
Original request hostname. |
| CDN Edge IP | cdnip |
CDN edge node IP address. |
| Application name | appName |
Live application name. |
| Server IP | serverIp |
CDN server IP address. |
| Request URL | url |
Original request URL. |
| Request Referer | referer |
Original request Referer header. |
;).1 to 10 seconds. The default value is 5.0 to 5. The default value is 0.| Feature | HLS | DASH | HTTP-FLV | WebRTC | RTMP |
|---|---|---|---|---|---|
| IP Access List | ✓ | ✓ | ✓ | ✓ | ✓ |
| Referer Access List | ✓ | ✓ | ✓ | ✓ | ✗ |
| User-Agent Access List | ✓ | ✓ | ✓ | ✓ | ✗ |
| Token Authentication | ✓ | ✓ | ✓ | ✓ | ✓ |
| Remote Authentication | ✓ | ✓ | ✓ | ✓ | ✓ |