On your coturn server, set --use-auth-secret in turnserver.conf and supply a long random --static-auth-secret (or store it in a database); restart coturn.
On your application server, generate ephemeral TURN credentials: set the username to <unix_timestamp_expiry>:<optional_user_id> (e.g. the expiry time in seconds since epoch when the credential should expire), then compute the password as base64(HMAC-SHA1(key=static-auth-secret, data=username)).
Return the ICE server configuration to the browser client: {urls: ["turn:your-turn-host:3478"], username: "<timestamp_username>", credential: "<base64_hmac_password>"}; include a STUN server entry alongside.
The client includes this ICE server config in RTCPeerConnection constructor; the browser uses the credentials only when a TURN relay is needed (direct or STUN paths are tried first).
Set the timestamp expiry appropriately for session length — see coturn docs for current recommendations on maximum TTL; regenerate credentials per session.
Known gotchas
The HMAC-SHA1 password is derived from the full timestamp:username string — even a small deviation in the username format renders the credential invalid and TURN relay fails silently.
coturn's use-auth-secret mode is incompatible with long-term credential mode in the same realm; ensure you do not mix authentication methods.
Open UDP ports 3478 and 5349 (TLS) plus the TURN relay port range in your firewall; restricting the relay range too narrowly causes allocation failures for high-concurrency calls.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp