# Authentication Flow

Every API call is authenticated using server-side generation of an API token. This token is created using an HMAC MD5 hash of your API secret, the IP address of the client requesting the token, and a timestamp, to find out how to generate this code follow the steps on this below. The token is then passed to the client-side code as a hexadecimal string, so that the client-side code can perform an authenticated request to the Streaming or Player APIs.

{% hint style="danger" %}
Your API secret should never be exposed to the public. In case of abuse, or if you have reasons to believe your API secret has been exposed, please contact the Integrations team to request a new secret.
{% endhint %}

## Authentication Flow Diagram

![](/files/xVFOzdPFmMapv4tlP5oh)

### As shown, the end-to-end authentication flow is as follows:

1. The end-user (client) wants to view content. In order to make this request, the client must have a valid authentication token. The client requests this authentication token from the operator’s back-end.
2. The operator's back-end/server generates a token and returns it to the client. This token should have the operator secret, ip address of the client, and the timestamp hashed into it.
3. The client makes a request to the Streaming API for a playback URL.
4. The stream URLs are passed to the operator’s video player.

{% hint style="success" %}
For the Player/Thumbnail API - replace 3) above with a call to the Player/Events/Thumbnail API rather than to the Streaming API
{% endhint %}

{% hint style="warning" %}
All Events API requests need to be made server-side and not client-side - If they are made client side these requests will fail.
{% endhint %}

{% hint style="danger" %}
For Streaming API requests, it is imperative that the IP address of the client is the IP address that is hashed into the authentication token. If not, this will very likely result in a 401 response from the Streaming API.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sportradar.com/streaming-integration/authentication/authentication-flow.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.