Authentication and Encryption of the Server API.

[vt-tv]

Implementers of the Server API will need to ensure secure access to the endpoint. Other projects such as NMOS have defined how to acheive this. More specifically: NMOS IS-10 : https://specs.amwa.tv/is-10/

(IS-10 uses a very standard and common approach based on JSON Web Tokens and OAuth 2.0)

[didikunz]

If I remember right, we briefly discussed this during one of the meetings. Did we agreed, that this is unnecessary, because the server is usually not publicly available?

In Caspar there is the LOCK command, maybe something similar could be added. This is, in a way, the other way around, it gives an operator the possibility to lock a surface (channel) for exclusive access, based on the IP address, if necessary. Prevents somebody to accidentally break into a running live show.

[nytamin]

Yes, it has been briefly discussed.
IIRC we concluded in that it shouldn't be included in the initial version of the API specification (deferring any security to vendor-specific implementations), but that we where open to adding something to the specification at a later time.

[nytamin]

Notes from Working Group 2025-11-12:

We're focusing on getting a first version of the Server API ready for now, and we will put security on the roadmap afterwards,