Hello
Please check this thread: https://forum.flashphoner.com/threads/stream-restriction-by-authorize-domains-or-ip-addresses.11081/
You can pass a token
1. For websocket connection
var session = Flashphoner.createSession({custom:{token:'12345'}});
2. For stream.play()
session.createStream({name:"stream1",custom:{token:'12345'}}).play();
3. For stream.publish()
session.createStream({name:"stream1",custom:{token:'12345'}}).publish();
You have to generate this token on your secure server and you have to match this token on your web server (REST).
Yes, you need to write some code for token based authentication.