- Allows an API server to accept or reject requests depending on what a client is authorized to do
- Security in the control plane is essential
- Best practice is to limit what clients can do
- Control client provides credentials and gets an access token
- Sends token with API requests
- Based on JSON Web Tokens and OAuth 2.0
- Encryption is a prerequisite (see BCP-003-01)
There is more information about the NMOS Specifications and their GitHub repos at https://specs.amwa.tv/nmos.