Authentication¶
Flex Video supports optional password-based authentication with session tokens and API keys.
Authentication Flow¶
┌─────────────────────────────────────────────────────────────┐
│ Authentication Flow │
├─────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ POST /auth/login ┌──────────────────┐ │
│ │ Client │ ──────────────────────► │ Flex Video │ │
│ │ │ ◄────────────────────── │ API Server │ │
│ └──────────┘ { token, expires } └──────────────────┘ │
│ │ │ │
│ │ Authorization: Bearer <token> │ │
│ │ ─────────────────────────────────────► │ │
│ │ │ │
│ │ ◄───────────────────────────────────── │ │
│ │ Protected resource │ │
│ │
└─────────────────────────────────────────────────────────────┘
Check Auth Status¶
Determine if authentication is enabled:
Response:
When auth_enabled is false, all endpoints are accessible without credentials.
Setting a Password¶
First-Time Setup¶
When no password is set, anyone can set one:
curl -X PUT http://localhost:3539/flex/auth/password \
-H "Content-Type: application/json" \
-d '{"password": "your-secure-password"}'
Changing Password¶
Requires authentication:
curl -X PUT http://localhost:3539/flex/auth/password \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"password": "new-password"}'
Removing Password¶
Disables authentication:
Session Tokens¶
Login¶
curl -X POST http://localhost:3539/flex/auth/login \
-H "Content-Type: application/json" \
-d '{"password": "your-password"}'
Response:
Tokens are valid for 24 hours.
Using Tokens¶
Include the token in the Authorization header:
Logout¶
Invalidate the current token:
API Keys¶
API keys provide service-to-service authentication without login.
Configuration¶
The API key is set via environment variable:
The installer auto-generates a unique key during installation.
Using API Keys¶
Include the key in the X-API-Key header:
Use Cases¶
| Auth Method | Use Case |
|---|---|
| Session Token | Web UI, interactive clients |
| API Key | Automation, service integration |
Public Endpoints¶
These endpoints never require authentication:
| Endpoint | Purpose |
|---|---|
GET /flex/health | Health checks |
GET /flex/healthz | Kubernetes probes |
GET /flex/version | Version info |
GET /flex/auth/status | Check if auth enabled |
POST /flex/auth/login | Obtain token |
Protected Endpoints¶
Trigger Endpoints¶
MediaMTX webhook endpoints require API key authentication:
The MediaMTX container is configured with the same FLEX_API_KEY to authenticate webhook calls.
All Other Endpoints¶
When auth is enabled, all other endpoints require either:
- Valid session token (
Authorization: Bearer) - Valid API key (
X-API-Key)
Error Responses¶
401 Unauthorized¶
Missing or invalid credentials:
400 Bad Request¶
Invalid login attempt:
Security Best Practices¶
- Use strong passwords - Minimum 12 characters, mixed case, numbers, symbols
- Rotate API keys - Periodically regenerate keys
- Use HTTPS - In production, terminate TLS at a reverse proxy
- Limit token lifetime - Tokens expire in 24 hours by default
- Secure .env file - Restrict file permissions (
chmod 600)
Implementation Notes¶
Token Storage¶
Tokens are stored in an encrypted Hive database. Token validation checks:
- Token exists in store
- Token hasn't expired
- Token hasn't been invalidated (logout)
Password Hashing¶
Passwords are hashed using bcrypt before storage. The original password is never stored.
API Key Validation¶
API keys are compared using constant-time comparison to prevent timing attacks.