We’re excited to have you join us! By registering, you’ll gain access to exclusive content, including leaked files and nulled software. Engage with our community, share your insights, and stay updated on the latest releases.

Get ready to explore and enjoy all the benefits of being a member, and feel free to connect with others through discussions and private messages.

Warning: Please do not create multiple accounts. We have a system in place that detects multiple account registrations, and any violations may result in a permanent ban.

Sign Up Now and Start Exploring!
  • License distribution for the
    Ibo 3.9 app+ panel with 17 themes to choose
    is now available for free, we are decrypting it now
    Only for VIP memberships

Tutorial What are HMAC Keys in XUI.ONE ?

Tutorial

Admin

Administrator
Administrative
Joined
Jul 24, 2024
Messages
293
What are HMAC Keys in XUI.ONE ?

HMAC keys were integrated into XUI a while ago, but without an explanation as to how it works and what it is for, not many people would be able to successfully implement it.

The idea behind using HMAC is to be able to use your own form of authentication on your website, yet stream from XUI and be able to manage connections accordingly. Instead of using a XUI username and password to authenticate a stream, you can generate a HMAC key with a unique identifier and restrictions that XUI will be able to verify and log.

Firstly, you need to access the XUI Admin panel and generate a HMAC Key.

1728664848169.png

Done! You now have your HMAC Key: 007B50D51E14F409104FCACB48849B2C
You would then need to keep it safe somewhere as you won't be able to see it again, it's encrypted in the database.

Token Parameters:

  • Stream ID
  • Extension
  • Max Connections
  • Identifier
  • Expiration - optional
  • User IP - optional
From the above you can build a token as follows:
{StreamID}##{Extension}##{Expiry}##{IP}##{Identifier}##{MaxConnections}


An example being a user you have authenticated on your own system would like to view stream 44, you want restrict them to their IP address and only allow them to view the stream using this URL for 24 hours, with 1 max connection:
44##m3u8##1613771149##192.168.0.1##USER_JOHN_DOE##1


You can then generate a HMAC token using the above string, and the HMAC key you generated earlier. An example in PHP would be:
$rResult = hash_hmac("sha256", "44##m3u8##1613771149##192.168.0.1##USER_JOHN_DOE##1", "007B50D51E14F409104FCACB48849B2C");


Your HMAC token in this example would be:
ed8d97309bd6cd1add1ef427e0f5cc861204154a4ccf8ddcb119e3441199842a


Finally, build your URL to the stream using your HMAC token and token parameters as follows:
http://yourwebsite.com:8080/stream/auth?stream=44&expiry=1613771149&extension=m3u8&identifier=USER_JOHN_DOE&max=1&ip=192.168.0.1&hmac=ed8d97309bd6cd1add1ef427e0f5cc861204154a4ccf8ddcb119e3441199842a


That's it! You have a working URL that will expire in 24 hours and be restricted to IP 192.168.0.1, allowing only 1 connection at a time to stream 44 and generating a HLS m3u8 playlist.


Understandably this may seem foreign to a lot of you, however if you're a developer, this is a secure and easy method to allow external access to your streaming platform without having to set up a new XUI line for each of your external users.
 
Back
Top