Authentication
Meridian VMS uses secure token-based authentication for user sessions and dedicated server credentials for recording server communication. All API endpoints (except login) require valid authentication.
User Authentication
Section titled “User Authentication”Session Management
Section titled “Session Management”Meridian VMS uses a secure token-based session system:
- Short-lived session tokens are used for API requests. The web interface manages these transparently.
- Longer-lived refresh tokens allow the session to be extended without requiring the user to log in again.
- Sessions expire automatically after a period of inactivity. If your session expires, you will be redirected to the login screen.
Login Flow
Section titled “Login Flow”- The user enters their email/username and password on the login screen.
- The server verifies the credentials.
- On success, the web interface establishes a session and subsequent requests are authenticated automatically.
- Sessions are extended transparently in the background — no user action is required.
Token Delivery
Section titled “Token Delivery”For standard web interface usage, authentication is handled automatically by the browser. For media URLs (live streams, video segments, snapshots), authentication tokens are passed as query parameters since browser media elements cannot set custom HTTP headers.
Password Security
Section titled “Password Security”Hashing
Section titled “Hashing”User passwords are hashed using a secure, computationally expensive hashing algorithm before storage. This makes brute-force attacks impractical. Plaintext passwords are never stored, logged, or transmitted after the initial login request.
Password Requirements
Section titled “Password Requirements”Administrators can set passwords for users through the Settings > Access Control > Users page. Administrators should establish and communicate password policies appropriate to their organisation.
Admin Account Seeding
Section titled “Admin Account Seeding”On first startup, Meridian VMS creates an initial administrator account using the credentials configured during installation.
Server Authentication
Section titled “Server Authentication”Recording servers authenticate to the management server using dedicated server credentials rather than user login credentials. These credentials:
- Are configured during server registration
- Are used for all communication between the recording server and the management server
- Authorise heartbeat updates, segment indexing, and event reporting
Password Security Best Practices
Section titled “Password Security Best Practices”- Use strong, unique passwords for all user accounts
- Change the admin password immediately after installation
- Restrict file permissions on configuration files to the service user
- Use a long, randomly generated secret for the signing key
- Consider enabling TLS on all connections in production deployments