The Mux Developer Hub

Welcome to the Mux developer hub. You'll find comprehensive guides and documentation to help you start working with Mux as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started


Every request to the API is authenticated via an Access Token, which includes the ID and the secret key. You can think of the Access Token’s id as its username and secret as the password, which is important to note because Mux only stores a hash of the secret, not the secret itself. If you lose the secret key for your access token, Mux cannot recover it, you will have to create a new Access Token. If the secret key for an Access Token is leaked you should revoke that Access Token on the settings page:

Note that in order to access the settings page for access tokens you must be an admin on the Mux organization.

API requests are authenticated via HTTP Basic Auth, where the username is the Access Token ID, and the password is the Access Token secret key. Due to the use of Basic Authentication and because doing so is just a Really Good Idea™, all API requests must made via HTTPS (to


Watch out for mismatched tokens and environments

Access tokens are scoped to an environment. When you create an access token make sure you are creating it for the environment that you intend to use it for.

This is an example of authenticating a request with cURL and HTTP Basic Auth. If you run this request yourself it will not work, you should replace the Access Token ID (44c819de-4add-4c9f-b2e9-384a0a71bede) and secret (INKxCoZ+cX6l1yrR6vqzYHVaeFEcqvZShznWM1U/No8KsV7h6Jxu1XXuTUQ91sdiGONK3H7NE7H) in this example with your own credentials.

curl \
  -H "Content-Type: application/json" \
  -X POST \
  -d '{ "input": "", "playback_policy": "public" }' \
  -u 44c819de-4add-4c9f-b2e9-384a0a71bede:INKxCoZ+cX6l1yrR6vqzYHVaeFEcqvZShznWM1U/No8KsV7h6Jxu1XXuTUQ91sdiGONK3H7NE7H

HTTP Basic Auth

Http basic auth works by base64 encoding the username and password in an Authorization header on the request.

Specifically, the header looks something like this:

'Authorization': `Basic base64(MUX_TOKEN_ID:MUX_TOKEN_SECRET)`
  1. The token ID and token secret are concatenated with a : and the string is base64 encoded.
  2. The value for the Authorization header is the string Basic plus a space followed by the base64 encoded result from Step 1.

In the cURL example above, the cURL library is taking care of the base64 encoding and setting the header value internally. The HTTP library you use in your server-side language will probably have something similar for handling basic auth. You should be able to pass in the username (Access Token ID) and password (Access Token secret) and the library will handle the details of formatting the header.


Mux has API SDKs for several major languages. You are not required to use them, but these SDKs handle the details of authentication for you and make it a little nicer to send API requests to Mux.

Access token permissions


Full Access

If you are just getting started with Mux Video then "Full Access" permissions is what you are looking for.

If you are creating or modifying resources with Mux Video then you need Full Access. This includes things like:

  • Creating new assets
  • Creating direct uploads
  • Creating new live streams

If your code is not creating anything and only doing GET requests then you can restrict the access token to "Read" only.

CORS and Client Side API Requests

Mux API endpoints do not have CORS headers, which means if you try to call the Mux API from the browser you will get an error along the lines of this:


CORS Error in Browser

request has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This is expected. Although making API requests directly from the browser or your mobile app would be convenient, it leaves a massive security hole in your application by the fact that your client side code would contain your API keys. Anyone who accesses your application would have the ability to trivially steal your API credentials and make requests to Mux on your behalf. An attacker would be able to gain full control of your Mux account.

Mux API Credentials should never be stored in a client application. All Mux API calls should be made from a trusted server.

Instead of trying to make API requests from the client, the flow that your application should follow is:

  1. Client makes a request to your server
  2. Your server makes an authenticated API request to Mux
  3. Your server saves whatever it needs to in your database
  4. Your server responds to the client with only the information that the client needs. For example, with live streaming that's the stream key for a specific stream, for uploads that's just the direct upload URL

Updated about a month ago


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.