State-free endpoints available on this streaming edge cluster.
| Method | Endpoint / Resource | Access Controls | Return Format |
|---|---|---|---|
| GET | /match/{id} | Public / Web | HTML Player Shell |
| GET | /api/v1/matches | Edge Authentication | JSON Match List |
| GET | /api/v1/matches/{id} | Edge Authentication | JSON Match Object |
| GET | /api/v1/proxy | Query Signature Required | M3U8 Playlist / TS Segment |
| GET | /health | Public | JSON Health Details |
| GET | /metrics | Public | Prometheus Metrics Text |
To prevent raw upstream links from leaking or being hijacked, the Edge server intercepts and proxies HLS stream requests via cryptographic URL signatures.
This endpoint requires stateless signature authentication. Requests with invalid or missing parameters return a 401 Unauthorized block.
| Param | Type | Description |
|---|---|---|
| url | String | URL-safe Base64 encoded target CDN stream URL. |
| schema | String | Must be sports. Dictates upstream request header spoofing. |
| sig | String | HMAC-SHA256 signature generated using the client identifier and access token. |
| exp | Integer | Unix timestamp representation of URL signature expiration. |
| client | String | Hash of the client's IP and User-Agent. Validated strictly on the backend. |
How the edge proxy validates client stream requests on every request without checking a database:
The client loads the match page. The backend generates a Client ID (derived from the requesting client's IP and User-Agent) and creates a cryptographic signature containing the target stream URL, an expiration window, and the access secret.
When the HTML5 player requests a media playlist or TS segment from the proxy gateway, the authentication extractor computes the requester's actual Client ID and compares it along with the signature payload.
If the URL signature is valid, has not expired, and matches the calculated client fingerprint, the request is forwarded to the upstream CDN. If any check fails, the proxy rejects the request immediately.