Skip to main content

Publishing (RTMP / RTMPS / SRT)

This page covers how to point an encoder (OBS, FFmpeg, hardware, etc.) at your Paradarum live stream and how publishing is authorized. All ingest URLs use your stream's 10-character emission point, shown on the stream's Endpoints tab in your dashboard. Throughout, replace <key> with that emission point.

:::warning Ingest host only These URLs use the ingest host <key>.live.prdrm.net. It is for publishing only — viewers play from the CDN host <key>.prdrm.net. See Playback URLs & manifest caching. :::

Protocols and ports

ProtocolPortScheme
RTMP1935rtmp://
RTMPS1936rtmps://
SRT10080srt://

RTMP

rtmp://<key>.live.prdrm.net:1935/live/<key>

In an OBS-style encoder, split this into a Server and a Stream Key:

  • Server: rtmp://<key>.live.prdrm.net:1935/live
  • Stream Key: <key>

RTMPS

Same as RTMP, over TLS on port 1936:

rtmps://<key>.live.prdrm.net:1936/live/<key>
  • Server: rtmps://<key>.live.prdrm.net:1936/live
  • Stream Key: <key>

SRT

SRT publishes to port 10080 and requires a streamid in an exact form. The r value is live/<key> and the mode is publish:

srt://<key>.live.prdrm.net:10080?streamid=#!::r=live/<key>,m=publish

:::danger SRT streamid must be exact The streamid must be exactly #!::r=live/<key>,m=publish. A malformed or wrong streamid is rejected. Copy it from the Endpoints tab rather than typing it by hand. :::

Authentication modes

When you create a stream you choose an ingest authentication mode. The numeric values come from the IngestAuthMode enum.

ModeValueBehavior
Anonymous0The stream key alone authorizes publishing.
UserPass1Also requires an ingest username and password.

On connect, the live PoP calls the API's publish hook to authorize the publisher: it checks that the key exists, the stream is not Disabled or Suspended, the account is active, the IP whitelist (if any) matches, and — in UserPass mode — the user and password.

User + password (RTMP)

With UserPass, pass the credentials as RTMP query parameters:

rtmp://<key>.live.prdrm.net:1935/live/<key>?user=myuser&pass=mypass

:::info Passwords are write-only Ingest passwords are stored only as a hash and are never returned by the API. When you update a stream, leaving the password field empty leaves the existing password unchanged. :::

IP whitelist (optional)

You can restrict who may publish to a comma-separated list of IPs and CIDR ranges, for example 1.2.3.4, 10.0.0.0/24. If set, a publisher whose source IP is not allowed is rejected.

:::note Treat it as a basic allow-list Whitelist matching is exact-IP or coarse CIDR-prefix string matching, not full subnet math. Use it as a basic allow-list, not for strict subnetting. :::

Max input bitrate cap

Each stream has a Max input bitrate (kbps) cap (default 5000). If a publisher exceeds the cap, the edge watchdog drops it. Set the cap above the total bitrate your encoder sends (video + audio) with some headroom.

Reconnection and config changes

Most encoders automatically reconnect after a dropped connection. Paradarum's Force restart flow relies on this: it kicks the current publisher so the encoder reconnects and re-applies the full configuration (renditions, auth, and IP whitelist). If you change renditions while live, see Transcode profiles & ABR for how and when changes take effect.

Create a stream via the API

Streams can also be created through the API. This example uses UserPass auth, an IP whitelist, a 5000 kbps cap, three renditions, and the original quality included:

curl -X POST 'https://api.paradarum.com/api/livestream?accountId=123' \
  -H 'X-API-Key: pdm_YOUR_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
        "name": "My live channel",
        "authMode": 1,
        "ingestUsername": "myuser",
        "ingestPassword": "secret",
        "ingestIpWhitelist": "1.2.3.4, 10.0.0.0/24",
        "bitrateCapKbps": 5000,
        "profileIds": [1, 2, 3],
        "includeOriginal": true
      }'

Next steps