Detecting Stream Misuse with the Token Guardian View
Even with strong preventive measures, monitoring is essential. The Token Guardian View aggregates usage data per playback token, enabling you to identify tokens exhibiting suspicious behavior and take targeted action.
For general Analytics Dashboard features and the Guardian UI, see the Analytics Guardian Guide. For blocking actions, see nanoStream Guardian.
Analytics Dashboard — Key Views
The Analytics Dashboard at metrics.nanostream.cloud provides real-time visibility into your streaming activity. The following views are most relevant for security monitoring:
| View | URL | Purpose |
|---|---|---|
| Breakdown | metrics.nanostream.cloud/breakdown | Traffic based analysis with one-click IP/Referrer blocking |
| Guardian based on IPs | metrics.nanostream.cloud/streamGuard | Activity by IP based analysis with one-click IP blocking |
| Guardian based on Tokens | metrics.nanostream.cloud/streamGuard?misTerm=jwtoken | Activity by Playback Token based analysis with one-click token revocation |
Setting Up Your Analysis
Define the time frame:
- Use a 1-day window for a general health check of your traffic.
- Narrow to a 3-hour window (or less) to isolate specific anomalies.
Inspect token details: Click on any row to expand the "Additional details" panel, which shows the token's payload including its scope (e.g., which domain and streams it is restricted to). Understanding the intended scope helps you judge whether observed behavior is normal.
Key Indicators of Suspicious Activity
The following patterns may indicate misuse. They are starting points for investigation rather than definitive proof.
A. Multiple IPs or Sessions per Token
When a single token is used from multiple IP addresses or generates many concurrent sessions, this may indicate that the token is being shared or used by an automated relay system.
This pattern can also be caused by legitimate token workflows — for example, if tokens are reused across sessions or if viewers are behind shared network infrastructure. Always evaluate in the context of your specific token generation workflow.
B. Data Center / Cloud Provider Traffic
Monitor the "Top Providers" column for entries that do not match expected consumer behavior. Traffic from cloud providers such as Amazon AWS, Google Cloud, Cloudflare, or similar hosting services is conspicuous because these are not residential ISPs. Viewers watching through a browser typically connect via consumer ISPs (e.g., Viettel, VNPT, Comcast, Deutsche Telekom).
Cloud-hosted traffic often suggests automated scripts, relay servers, or bots — though it could also originate from your own monitoring systems or business partners.
C. Referrer Anomalies
The referrer shows the origin of the playback request:
- Unknown domains: Domains that are not part of your official streaming environment may indicate unauthorized embedding.
- Missing referrers (
N/Aor-): This suggests the request did not originate from a standard web browser but from a programmatic HTTP client (e.g.,curl, server-side scripts), which is typical of relay/restreaming setups.
D. Geographic Distribution
A single token showing activity from multiple countries within a short time window is noteworthy. This can indicate use of a proxy network or VPN to mask the origin of the access.
E. Unusually Long Playback Duration
Tokens with exceptionally high total playback duration are conspicuous because relaying (copying) a stream requires it to be active for the entire length of the content. Long-duration tokens may warrant closer inspection, especially if combined with other indicators.
F. High Concurrency (for User-Bound Tokens)
When tokens are bound to specific user IDs, the concurrency metric becomes very informative:
- A normal user typically has a concurrency of approximately 1.
- A concurrency value > 2 strongly suggests simultaneous streams, indicating account sharing or unauthorized redistribution.
Practical Analysis Workflow
- Open the Token Guardian View and set your desired time range.
- Look beyond the top rows (high-volume tokens for popular content are expected) — focus on tokens with unusual duration, multi-IP usage, or unexpected providers.
- Click on suspicious rows to inspect the token payload and its scope.
- Cross-reference with the Breakdown view for geographic and referrer details.
- If you identify confirmed misuse, proceed to the available response options: nanoStream Guardian for manual blocking or Token Revocation to invalidate compromised tokens.