TheRelay - Documentation

Your Cameras. Anywhere. Instantly.
Back

Overview

Stop fighting with firewalls and NAT. Access your RTSP streams from anywhere with reliable cloud endpoints. TheRelay uses a small on-prem agent to publish your camera feeds to the cloud so you can view or integrate them via standard protocols without opening inbound ports or changing firewalls.

Key Idea

A single outbound, encrypted connection from your LAN to TheRelay Cloud—no VPNs, port forwarding, or firewall edits.

Highlights

  • Publish once from the LAN; consume anywhere.
  • Standard protocols: WebRTC, RTSP, SRT, HLS, RTMP.
  • Camera credentials remain on-prem with the Agent.
  • Fine-grained, token-based access control (camera or host scope).

Getting Started

  1. Create your TheRelay account and organization.
  2. Install TheRelay Agent on your local network.
  3. Add your local cameras.
  4. Create an Access Token.
  5. Enter the Access Token in the dashboard.
  6. Use the required protocols as needed: WebRTC, RTSP, SRT, HLS, RTMP.

TheRelay Agent

TheRelay Agent is a tiny service you run on a machine inside the same LAN as your cameras. It reads RTSP directly from the cameras and opens a single outbound, encrypted connection to TheRelay cloud, so no inbound ports, VPNs, or firewall changes.

On the Publish page you'll see the exact command to run for the selected operating system:

Windows Installation

  • Run the command in PowerShell.

Linux Installation

  • Run the command in your Terminal.

Adding a Camera

  1. Add a camera name.
  2. Enter your localhost camera RTSP URL
  3. Click Add Camera to add it to the list.
  4. Press Start Streaming to start the streaming process

RTSP URL Examples

Hikvision:
rtsp://USER:PASS@CAMERA_IP:554/Streaming/Channels/101

Dahua:
rtsp://USER:PASS@CAMERA_IP:554/cam/realmonitor?channel=1&subtype=0

Axis:
rtsp://USER:PASS@CAMERA_IP:554/axis-media/media.amp

Generic:
rtsp://USER:PASS@CAMERA_IP:PORT/PATH

Replace USER, PASS, CAMERA_IP, PORT, and PATH with your camera's details.

Credentials Stay Local

Camera usernames and passwords remain on the LAN; they are stored by the Agent and not transmitted to or stored in the cloud.

Tokens & Access

Publisher Tokens

Authenticate a TheRelay Agent to publish (send) a stream into TheRelay Cloud.

  • Designed for continuous operation (may be non-expiring).
  • Can be regenerated at any time.
  • Intended only for publishing, not for viewing or managing streams.

Access Tokens

Control view and management permissions for streams and resources.

  • Required to open the dashboard and to authorize viewers or operators.
  • Can be scoped to:
    • Entire computer (host) - grants access to all cameras on that host.
    • Individual cameras - grant access camera-by-camera for fine-grained control.

Access Token Studio

A guided tool in the dashboard for creating and managing Access Tokens. The Servers & Cameras tab shows all destinations you can see and lets you scope to servers/cameras. The Destinations tab lists only your organization's destinations for full-destination access.

Dashboard

To have access to dashboard users need to have one Access Token with attached cameras. Once authenticated, the Dashboard loads all cameras associated with that token.

Cameras View

  • For each camera (and in aggregate where applicable), the Dashboard displays:
  • Total Streams - The number of active streams available under your token's scope.
  • Active Viewers - Current consumers of the streams, which may include humans or automated systems (e.g., AI services).
  • Live Ingress / Egress (per stream)
    • Ingress: Real-time inbound bitrate/traffic into TheRelay Cloud from the publisher/agent.
    • Egress: Real-time outbound bitrate/traffic from TheRelay Cloud to viewers and downstream services.

Stream Details & Protocol Endpoints

Selecting a stream opens its details panel, where you can access standard streaming endpoints:

  • WebRTC
  • RTSP
  • SRT
  • HLS
  • RTMP

Use the provided controls to copy the URLs and integrate them into your application, player, or AI pipeline.

Security Architecture

LAN → Cloud

  • Encrypted SRT from TheRelay Agent to TheRelay Cloud.
  • Outbound-only connection from your LAN — no inbound ports opened on your router/firewall.
  • Camera credentials stay on the LAN, stored locally by TheRelay Agent; they are never sent to the cloud.

Streams Access

  • Access is granted via Access Tokens with camera-level or agent-level scope.
  • You can revoke tokens at any time.

Why TheRelay is more secure than opening ports for RTSP

No exposed services on the public internet

  • With TheRelay: Your cameras and agent are not reachable from outside; the agent dials out securely.
  • With open RTSP ports: You publish a public endpoint that can be scanned, brute-forced, indexed, or misconfigured.

Encrypted ingest by default

  • TheRelay: Uses SRT with AES encryption from LAN to cloud.
  • Open RTSP: Classic RTSP is unencrypted — even with digest auth, the media itself is sent in the clear via RTP.

Least-privilege, scoped sharing

  • TheRelay: Share exactly what’s needed: one camera (camera token) or all cameras on a host (agent token).
  • Open ports: Anyone with the URL or credentials can hit the entire exposed service, often with broad access.

No credential leakage

  • TheRelay: Camera usernames/passwords never leave the LAN; viewers only receive tokens, not camera credentials.
  • Open RTSP: Viewers typically need RTSP credentials, which can be shared, reused, or phished.

Simple revocation

  • TheRelay: Kill access instantly by revoking a token — no firewall surgery or camera reconfiguration.
  • Open RTSP: Requires changing camera passwords, updating firewall rules, and redistributing new credentials.

Reduced operational risk

  • TheRelay: Outbound-only pattern avoids fragile port-forward rules and reduces attack surface.
  • Open RTSP: Port forwarding is error-prone; a single misrule can expose more than intended.