The general approach for securing RTMP is to use Stream Keys that are unique to the user account. This works basically the same as an API token, meaning if the key is present in the RTMP URL it will accept the stream. It also means you should typically give the user an option to refresh the token if they feel it’s been compromised for some reason.
Depending on the use case and audience, this is usually the better option than trying to tie it directly to a logged in user. For a lot of broadcasters, it’s common for your RTMP feed to come from external streaming equipment such as a Cerevo LiveShell, which may not even have an HTTP client. JWT usually implements with a timeout as well, which will refresh the token and could interrupt the stream.
You may find this article on implementing Stream Keys with Django helpful.
