Cloudflare Docs
Calls
Cloudflare Docs
Calls
    Edit this page
    Report an issue with this page
    Log into the Cloudflare dashboard
    Set theme to dark (⇧+D)
    1. Products
    2. Calls
    3. TURN Service
    4. Generate Credentials

    Generate TURN credentials

    Cloudflare will issue TURN keys, but these keys cannot be used as credentials with turn.cloudflare.com. To use TURN, you need to create credentials with a expiring TTL value.

    ​​ Create a TURN key

    To create a TURN credential, you first need to create a TURN key using Dashboard, or the API.

    You should keep your TURN key on the server side (don’t share it with the browser/app). A TURN key is a long-term secret that allows you to generate unlimited, shoter lived TURN credentials for TURN clients.

    With a TURN key you can:

    • Generate TURN credentials that expire
    • Revoke previously issued TURN credentials

    ​​ Create credentials

    You should generate short-lived credentials for each TURN user. In order to create credentials, you should have a back-end service that uses your TURN Token ID and API token to generate credentials. It will make an API call like this:

    curl https://rtc.live.cloudflare.com/v1/turn/keys/$TURN_KEY_ID/credentials/generate \

    --header "Authorization: Bearer $TURN_KEY_API_TOKEN" \

    --header "Content-Type: application/json" \

    --data '{"ttl": 86400}'

    The JSON response below can then be passed on to your front-end application:

    {
      "iceServers": {
        "urls": [
          "stun:stun.cloudflare.com:3478",
          "turn:turn.cloudflare.com:3478?transport=udp",
          "turn:turn.cloudflare.com:3478?transport=tcp",
          "turns:turn.cloudflare.com:5349?transport=tcp"
        ],
        "username": "bc91b63e2b5d759f8eb9f3b58062439e0a0e15893d76317d833265ad08d6631099ce7c7087caabb31ad3e1c386424e3e",
        "credential": "ebd71f1d3edbc2b0edae3cd5a6d82284aeb5c3b8fdaa9b8e3bf9cec683e0d45fe9f5b44e5145db3300f06c250a15b4a0"
      }

    }

    Use username and credential as follows when instantiating the RTCPeerConnection:

    const myPeerConnection = new RTCPeerConnection({
      iceServers: [
        {
          urls: "stun:stun.cloudflare.com:3478",
        },
        {
          urls: "turn:turn.cloudflare.com:3478",
          username: "REPLACE_WITH_USERNAME",
          credential: "REPLACE_WITH_CREDENTIAL",
        },
        {
          urls: "turns:turn.cloudflare.com:5349?transport=tcp",
          username: "REPLACE_WITH_USERNAME",
          credential: "REPLACE_WITH_CREDENTIAL",
        },
        {
          urls: "turn:turn.cloudflare.com:3478?transport=tcp",
          username: "REPLACE_WITH_USERNAME",
          credential: "REPLACE_WITH_CREDENTIAL",
        },
      ],

    });

    The ttl value can be adjusted to expire the short lived key in a certain amount of time. This value should be larger than the time you’d expect the users to use the TURN service. For example, if you’re using TURN for a video conferencing app, the value should be set to the longest video call you’d expect to happen in the app.

    When using short-lived TURN credentials with WebRTC, credentials can be refreshed during a WebRTC session using the RTCPeerConnection setConfiguration() API.

    ​​ Revoke credentials

    Short lived credentials can also be revoked before their TTL expires with a API call like this:

    curl --request POST \
    https://rtc.live.cloudflare.com/v1/turn/keys/$TURN_KEY_ID/credentials/username/$USERNAME/revoke \

    --header "Authorization: Bearer $TURN_KEY_API_TOKEN"