Skip to content
Start here

Tokens

Create a token
POST/accounts/{account_id}/moq/relays/{relay_id}/tokens
List tokens
GET/accounts/{account_id}/moq/relays/{relay_id}/tokens
Revoke a token
DELETE/accounts/{account_id}/moq/relays/{relay_id}/tokens/{jti}
ModelsExpand Collapse
TokenCreateResponse object { issuers }

A relay’s token collection, keyed on issuer type (a discriminated union). V1 ships exactly one arm (cloudflare_jwt). Clients iterate issuers, switch on type, and ignore unknown types — that contract is what makes adding or removing an arm non-breaking.

issuers: array of object { cloudflare_tokens, issuer, type }
cloudflare_tokens: array of object { created, expires, jti, 3 more }

Always present ([] when empty).

created: string
formatdate-time
expires: string

Mandatory; no more than 1 year after created.

formatdate-time
jti: string

Token identity and registry key (32 hex chars).

operations: array of "publish" or "subscribe"

Signed allowlist of what the token may do. V1 coarse roles; the array form extends to fine-grained MoQT message names later without a breaking change.

One of the following:
"publish"
"subscribe"
label: optional string

Optional, customer-set.

secret: optional string

The signed JWT. Present ONLY in create / auto-create responses (shown once); never returned by list, never stored.

issuer: "cloudflare"
type: "cloudflare_jwt"
TokenListResponse object { issuers }

A relay’s token collection, keyed on issuer type (a discriminated union). V1 ships exactly one arm (cloudflare_jwt). Clients iterate issuers, switch on type, and ignore unknown types — that contract is what makes adding or removing an arm non-breaking.

issuers: array of object { cloudflare_tokens, issuer, type }
cloudflare_tokens: array of object { created, expires, jti, 3 more }

Always present ([] when empty).

created: string
formatdate-time
expires: string

Mandatory; no more than 1 year after created.

formatdate-time
jti: string

Token identity and registry key (32 hex chars).

operations: array of "publish" or "subscribe"

Signed allowlist of what the token may do. V1 coarse roles; the array form extends to fine-grained MoQT message names later without a breaking change.

One of the following:
"publish"
"subscribe"
label: optional string

Optional, customer-set.

secret: optional string

The signed JWT. Present ONLY in create / auto-create responses (shown once); never returned by list, never stored.

issuer: "cloudflare"
type: "cloudflare_jwt"
TokenDeleteResponse object { errors, messages, success }
errors: array of object { code, message }
code: optional number
message: optional string
messages: array of object { code, message }
code: optional number
message: optional string
success: boolean