Document Version: 2.3
Last Updated: October 2024
Product: WINK Media Router Firmware 2.x
Note: Firmware 3.x coming Q4 2024 with enhanced features
Camera sharing between agencies has become a critical requirement for modern surveillance operations. Whether supporting DOT traffic operations, enabling emergency response coordination, or providing public transparency through citizen portals, secure and reliable video distribution is essential.
WINK Media Router addresses these requirements by providing a secure proxy layer between camera owners and external consumers. This document outlines implementation strategies, security considerations, and best practices for multi-agency video sharing deployments. For technical API details, refer to the WINK API Reference Manual.
The fundamental principle underlying all our recommendations: camera owners maintain complete control. External agencies never receive direct camera access. This approach ensures security while enabling the collaboration modern operations require.
When you request camera access from a WINK Media Router customer, you're entering a professional video distribution ecosystem designed for security and reliability. This section explains what you can expect and how to make the most of your access.
The specific resources available to your organization depend entirely on your agreement with the camera owner. Typically, partners receive access to specific cameras relevant to their operational needs, with bandwidth and concurrent connection limits appropriate to their use case. These limits aren't arbitrary - they're designed to ensure reliable service for all partners while protecting the source infrastructure.
Most partnerships include access during standard business hours with technical support available for integration issues. Some agreements may include 24/7 access for emergency operations or other critical functions. The key point: your access parameters are determined by policy agreements with the camera owner, not technical limitations of the platform.
Understanding limitations helps set appropriate expectations. You won't receive direct access to cameras or the underlying network infrastructure - all access flows through the Media Router proxy layer. VPN access is not provided as it represents an unnecessary security risk when better alternatives exist. The ability to reshare streams to third parties requires explicit permission and typically isn't granted without careful consideration. Custom codec configurations or special processing also require approval from the camera owner.
| Method | Best For | Latency | Setup Complexity | Requirements |
|---|---|---|---|---|
| HLS + OTP | Web viewing, public portals | 3-5 seconds | Easy | Any web browser |
| RTSP + IP Whitelist or OTP | VMS/NVR integration | <500ms | Moderate | Compatible VMS |
| RTMP + IP Whitelist or OTP | Legacy systems, CDN ingest | 1-2 seconds | Easy | RTMP-compatible player |
| SRT + Key | Broadcast production | <1 second | Complex | SRT-compatible decoder |
One-Time Password (OTP) authentication has emerged as our recommended approach for most partner integrations. The system provides secure, time-limited access without the complexity of permanent credentials or certificate management.
OTP works through a straightforward process. Your application requests a token from the Media Router API, receives a unique token with specified expiration time, and appends this token to stream URLs. When the token expires, your application requests a new one. This cycle ensures continuous access while maintaining security.
Here's how OTP actually works in production, using examples from the WINK API:
# Creating an OTP token with 10-minute duration (default)
curl -d "apiuser=partner_api&apipass=secure_password&action=create&duration=10&hash_type=numeric&hash_length=20" \
-X POST https://router.agency.gov/otp/api/
# Response: 24814928371014572819
# Using the token in your stream URL
https://router.agency.gov/hls/camera-42/playlist.m3u8?token=24814928371014572819
# Extending token lifetime when needed
curl -d "apiuser=partner_api&apipass=secure_password&action=extend&token=24814928371014572819&duration=15" \
-X POST https://router.agency.gov/api/v1/otp/
# Querying token status
curl -d "apiuser=partner_api&apipass=secure_password&action=tokeninfo&token=24814928371014572819" \
-X POST https://router.agency.gov/api/v1/otp/
The beauty of OTP lies in its simplicity. No complex certificate management, no permanent credentials to rotate, and automatic expiration ensures forgotten tokens don't become security liabilities. Most importantly, each token provides a complete audit trail of who accessed what and when.
Why is there a delay on HLS streams?
HLS uses segment-based delivery to ensure reliability over varied network conditions. The 3-5 second latency is inherent to the protocol. If your use case requires sub-second latency, RTSP or SRT protocols are more appropriate, though they require compatible receiving systems.
Our IP addresses change frequently. How should we handle authentication?
OTP authentication is ideal for dynamic network environments. Since tokens work from any IP address, you won't need to request whitelist updates. This approach is both more secure and more flexible than IP-based authentication.
Can we redistribute streams to our partners?
Stream redistribution requires explicit permission from the camera owner. If you need to share video with multiple internal users, consider implementing edge caching within your own infrastructure rather than creating multiple connections to the source.
Is H.265/HEVC encoding available?
The default codec is H.264 for maximum compatibility. Alternative codecs require technical justification and approval from the camera owner, as they may impact system resources and compatibility with other partners.
Partner agencies often find it most efficient to deploy their own WINK Media Router instance. This approach provides complete control over your video distribution while maintaining security boundaries with source agencies.
WINK Streaming offers several deployment options tailored for partner agencies:
Benefits of operating your own Media Router include unlimited internal distribution, custom authentication policies, direct integration with your systems, no bandwidth restrictions from source agencies, and ability to aggregate feeds from multiple sources. Contact sales@wink.co to discuss options tailored to your organization's requirements.
Twelve years of production deployments have taught us valuable lessons about camera sharing. This section distills those experiences into practical guidance for agencies operating WINK Media Router.
The most important lesson: partners often request more access than they need. Direct RTSP access to cameras might seem simpler, but it creates unacceptable security risks. The proxy architecture of WINK Media Router exists specifically to provide necessary access while maintaining security boundaries. Understanding this principle helps frame productive discussions with potential partners about what's possible versus what's prudent.
| Partner Type | Recommended Auth | Why | Configuration Example |
|---|---|---|---|
| News Media | HLS + OTP | Web-based, public facing, needs easy revocation | token_duration: 30min, bandwidth: 10mbps |
| Partner Agency VMS | RTSP + IP Whitelist | Fixed location, system integration | allowed_ips: [10.0.0.0/24], max_connections: 25 |
| Emergency Operations | Multiple Methods | Redundancy for critical operations | primary: rtsp+ip, backup: hls+otp |
| Temporary Events | HLS + Time-Limited OTP | Auto-expires after event | token_duration: 1h, auto_revoke: true |
IP whitelisting provides network-level security suitable for fixed infrastructure. However, it requires responsible usage and comes with automatic enforcement mechanisms.
Even whitelisted IP addresses are subject to heuristic monitoring. Odd behavior or excessive usage patterns will trigger automatic temporary blocking. The system enforces progressive blocking periods:
Common triggers include rapid connection attempts exceeding normal patterns, accessing unauthorized cameras, bandwidth usage spikes beyond allocated limits, and patterns suggesting credential sharing or redistribution.
While we support IP updates when needed, frequent changes indicate a mismatch between your infrastructure and IP-based authentication. If you're updating IPs more than once per month, consider switching to OTP authentication or obtaining your own WINK Media Router license. Emergency changes remain available for critical situations, but patterns of frequent updates will prompt a discussion about more suitable authentication methods.
If you deploy CloudFlare, AWS WAF, or other CDN/proxy infrastructure in front of WINK Media Router, be aware that these services may interfere with live streaming. We cannot provide support for issues caused by third-party proxy configurations.
Common configurations that cause problems include CloudFlare's "Always Online" mode which attempts to cache live streams, browser integrity checks that block legitimate video players, AWS WAF rate limiting that interferes with segment requests, and generic reverse proxies without proper streaming support.
To determine whether issues stem from proxy configuration, test direct access to the Media Router. If direct access works while proxied access fails, the proxy configuration requires adjustment.
This guide covers WINK Media Router Firmware 2.x ONLY.
NOT covered here:
Customer Feedback Request: Several customers have asked about unified Vision + Router sharing. If this would be valuable for your deployment, please let us know. We're gauging interest for a potential Firmware 3.x feature.
Experience with thousands of partner integrations has demonstrated that complete isolation between camera infrastructure and partner access provides the only sustainable long-term architecture. This approach balances security requirements with operational flexibility.
Traditional (Problematic) Approach:
Cameras ──RTSP──> Partner Systems ──> Their Users
↑
└── Direct access = Security nightmare
WINK Media Router Approach:
Cameras ──RTSP──> WINK Router ──HLS/RTSP/SRT──> Partner Endpoint ──> Their Users
↑ ↑ ↑
Safe Control Point Isolated
Internal Monitoring No camera access
Rate limits
Auth checks
Usage logs
October 2024 perspective: After twelve years of production deployments, here's what actually works:
Let's be crystal clear about our codec policy as of October 2024:
Video Codec: H.264 Baseline Profile
Resolution: Source (no upscaling, downscaling on request)
Bitrate: Adaptive 400kbps - 4Mbps
Framerate: Source (typically 10-30fps)
GOP Size: 2 seconds (60 frames @ 30fps)
Audio: AAC 64kbps mono (if present)
Container: Depends on protocol (TS for HLS, RTP for RTSP)
Want something different? Here's the process:
Experience has shown that codec changes often introduce more problems than they solve. A recent example illustrates this: a partner requested H.265 for bandwidth reduction, but their viewing software lacked H.265 support. The resulting compatibility issues and increased processing load on the source system required reverting to H.264.
This reinforces our recommendation: H.264 provides universal compatibility and proven reliability. For a detailed analysis of why H.264 remains the optimal choice for most deployments, see our technical brief: Why H.264 Is Almost Always The Answer. Alternative codecs should only be considered when there's a compelling technical requirement and confirmed end-to-end compatibility.
Our heuristic monitoring system (refined continuously since 2021) watches for these patterns:
# Suspicious Patterns That Trigger Alerts
1. Credential Sharing Indicators:
- Same token used from >3 distinct IPs within 1 hour
- Geographic impossibility (NYC and LA within minutes)
- User-agent changes mid-session
2. Bandwidth Abuse:
- Sustained usage >80% of limit for >1 hour
- Spike to >200% of normal without prior notice
- Downloading rather than streaming (rapid segment requests)
3. Unauthorized Redistribution:
- Multiple identical streams from same source
- Reverse proxy signatures in requests
- CDN headers in requests (CloudFlare, Akamai, etc.)
4. System Abuse:
- >10 auth failures per minute
- Connection rate >20/minute sustained
- Attempting to access non-authorized cameras
Automated Responses:
Level 1 (Warning): Email to technical contact
Level 2 (Throttle): Bandwidth reduced to 50%
Level 3 (Suspend): Access blocked, manual review required
Level 4 (Terminate): Partnership ended, legal notified
Security isn't a feature , it's the foundation. Here's our multi-layer approach as implemented in WINK Media Router 2.x:
Camera Network (Private) | WINK Media Router | Partner Network (DMZ) | Internet
10.0.0.0/8 | Proxy/Firewall | 172.16.0.0/12 | Public IPs
No routes out | State inspection | Limited routes | Full exposure
| Rate limiting |
// Token Generation (Server Side)
function generateOTP($partnerId, $cameraList, $duration = 10) {
$token = [
'pid' => $partnerId,
'cams' => $cameraList,
'exp' => time() + ($duration * 60),
'ip' => $_SERVER['REMOTE_ADDR'],
'sig' => null
];
// Sign token to prevent tampering
$token['sig'] = hash_hmac('sha256', json_encode($token), SECRET_KEY);
// Store in Redis for quick validation
Redis::setex("otp:{$token}", $duration * 60, json_encode($token));
return base64_encode(json_encode($token));
}
// Token Validation (Every Request)
function validateOTP($token) {
// Check Redis first (fast path)
if (!Redis::exists("otp:{$token}")) {
logSecurityEvent('Invalid token attempt', $token);
return false;
}
$data = json_decode(base64_decode($token), true);
// Verify signature
$sig = hash_hmac('sha256', json_encode(array_diff_key($data, ['sig' => 1])), SECRET_KEY);
if ($sig !== $data['sig']) {
logSecurityEvent('Tampered token detected', $token);
return false;
}
// Check expiration
if ($data['exp'] < time()) {
Redis::del("otp:{$token}");
return false;
}
return $data;
}
The Media Router implements sophisticated rate limiting to prevent abuse while allowing legitimate usage:
Rate Limiting Configuration:
Authentication Endpoints:
- 1 request per second baseline
- Burst allowance: 5 requests
- Exceeded: HTTP 429 response
Stream Endpoints:
- 100 requests per second for segments
- 25 concurrent connections per IP
- Burst handling for player buffering
Protection Mechanisms:
- Connection rate limiting (prevents scanning)
- Geographic anomaly detection
- Bandwidth quota enforcement
- Automatic temporary blocking for violations
Every access is logged with:
October 2024 guidance based on twelve years of production use:
| Criterion | Use OTP | Use JWT |
|---|---|---|
| Complexity | Simple - just a token | Complex - claims, signatures, validation |
| Performance | Fast - Redis lookup | Slower - cryptographic validation |
| Revocation | Instant - delete from Redis | Difficult - need blacklist |
| Use case fit | 95% of video streaming | Complex permission models |
| Integration effort | Append to URL | Header handling, libraries needed |
While we support JWT for complex enterprise requirements, our experience shows that OTP meets the needs of most deployments more effectively. JWT becomes valuable primarily in multi-tenant scenarios requiring attribute-based access control. For standard camera sharing use cases, OTP provides a simpler, faster, and more manageable solution.
Checklist:
□ Is your IP whitelisted? curl -I https://router.agency.gov/health
□ Is your token valid? Check expiration time
□ Is the camera actually online? We don't control upstream
□ Are you using the right protocol? HLS needs .m3u8, not .rtsp
□ Console errors? CORS issues mean you need proper headers
Answer: You're using HLS. HLS segments are typically 2 seconds each, and players buffer 2-3 segments. This is normal. If you need lower latency, use RTSP or SRT. For a comprehensive analysis of protocol characteristics and latency trade-offs, refer to our Protocol Comparison for Long-Distance Streaming guide.
Common causes:
1. Token expired (check timestamp)
2. Hitting rate limits (check your usage)
3. Network issues (run traceroute)
4. Player timeout (increase buffer size)
5. We're enforcing limits (check your email)
Answer: Yes, but first show us your usage patterns. If you're constantly at 80%+, you probably need your own WINK Media Router license.
Answer: This is why we recommend OTP. If you're updating IPs more than monthly, switch to OTP.
Answer: No. You get access to specific cameras based on your agreement. Request additions through proper channels.
Quality is determined by:
1. Source camera (we don't upscale)
2. Bandwidth allocation (more bandwidth = higher quality)
3. Network conditions (packet loss degrades quality)
4. Player settings (check if player is requesting lower quality)
Answer: There is no watermark from WINK Media Router. If you see one, it's from the source camera or your player.
Usually means:
- Production firewall blocking ports
- Production proxy interfering (see CloudFlare warnings)
- Different network path with more restrictions
- SSL certificate issues (check cert chain)
Answer: Your OTP token expired. Tokens default to 10 minutes unless explicitly set longer. Implement token refresh in your application or request longer duration tokens if appropriate for your use case.
Twelve years of production experience with WINK Media Router has validated our core architectural principles while teaching valuable lessons about real-world deployment challenges. The system successfully balances security requirements with operational flexibility, enabling thousands of partnerships to share video resources effectively.
Key insights from our deployment experience include the effectiveness of OTP authentication for most use cases, the critical importance of proxy isolation for security, the value of clear limits with consistent enforcement, and the universal compatibility advantages of H.264 encoding.
Looking ahead to Firmware 3.x (Q4 2024), planned enhancements include improved analytics capabilities, refined rate limiting algorithms, and potential integration between WINK Vision and Media Router platforms based on customer feedback.
| Technical Support: support@wink.co | Security Issues: security@wink.co | Sales/Licensing: sales@wink.co |
WINK Media Router Firmware 2.x | Document Version 2.3 | October 2024
© 2024 WINK Streaming. All rights reserved.