Emby Authentication System
1. Basic Authentication Architecture
1.1 Authentication System Components
Emby uses a hybrid authentication system with the following components:
- Emby Server Authentication Engine - Main authentication engine
- Local User Database - Local database with users
- Emby Connect Service - Global authentication service
- Token Management System - Token management system
2. Emby Authentication Protocol
2.1 Local Authentication
When a user authenticates locally on the Emby server:
POST /Users/AuthenticateByName
Content-Type: application/json
{
"Username": "username",
"Pw": "password"
}The Emby server processes the request:
- Verifies credentials in local database
- Validates password hash
- Generates a unique AccessToken
- Returns user details and token
2.2 Authentication Response
{
"User": {
"Id": "user_id",
"Name": "username",
"HasPassword": true,
"HasConfiguredPassword": true
},
"SessionInfo": {
"PlayState": {},
"AdditionalUsers": [],
"Capabilities": {}
},
"AccessToken": "access_token_string",
"ServerId": "server_id"
}3. Emby Connect System
3.1 Authentication with Emby Connect
Emby Connect allows single authentication across multiple servers:
POST /Users/AuthenticateWithConnect
{
"ConnectUsername": "email@example.com",
"ConnectPassword": "connect_password"
}3.2 Account Linking
To link a local account to Emby Connect:
POST /Users/{UserId}/Connect/Link
{
"ConnectUsername": "email@example.com",
"ConnectPassword": "connect_password"
}4. Token and Session Management
4.1 Emby Token Structure
Emby uses access tokens with the following characteristics:
- Unique tokens generated for each session
- Validity configured in server settings
- Associated with device and client application
4.2 Token Verification
All authenticated requests use the header:
X-Emby-Token: access_token_string
The server verifies the token at each request:
- Validates token signature
- Checks expiration
- Confirms association with user
- Verifies permissions
5. Security in Emby
5.1 Password Storage
Emby uses modern algorithms for passwords:
- Secured hashes with unique salt
- PBKDF2 or bcrypt algorithms
- Configured complexity policy
5.2 Protection Against Attacks
- Rate limiting for failed authentications
- Temporary lockout after multiple attempts
- Input validation to prevent injection
- Extensive logging of authentication activity
6. Authentication Flows
6.1 Initial Authentication
- Client sends authentication request
- Server validates credentials
- Generates access token
- Returns session data
- Client stores token for future requests
6.2 Authentication with Emby Connect
- Client sends Emby Connect credentials
- Server validates with Connect service
- Looks for associated local user
- Generates token for local session
- Returns access to local server
7. Main Authentication APIs
7.1 Key Endpoints
- POST /Users/AuthenticateByName - Local authentication
- POST /Users/AuthenticateWithConnect - Connect authentication
- POST /Users/{UserId}/Connect/Link - Account linking
- POST /Sessions/Logout - Session logout
- GET /Users/{UserId} - Session verification
7.2 Authentication Headers
X-Emby-Authorization: MediaBrowser Client="ClientName", Device="DeviceName",DeviceId="device_id", Version="client_version" X-Emby-Token: access_token
8. Session Management
8.1 Active Session Tracking
Emby keeps track of active sessions with:
- Device details
- Authentication time
- Last activity
- Current playback state
This system provides robust and flexible authentication for the Emby platform, supporting both local users and global authentication through Emby Connect.