Most streaming platforms are built on top of existing infrastructure.
YouTube Live. Zoom. Vimeo.
You configure, you embed, you go.
This was different.
The organization needed something none of those platforms could give them: a fully controlled, invitation-only streaming system where unauthorized access, screen recording, and code sharing were simply not possible.
So I built it from scratch. In 4 weeks. Using Cursor AI as my engineering partner.
Here's what that looked like.
The Stats at a Glance
10,000+ Concurrent Viewers
Sub-3s Stream Latency
98%+ Uptime
Built in 4 Weeks
25+ Database Models
40+ API Endpoints
Multi-Layer Security
Zero Unauthorized Access
Why Custom? Why Now?
Existing platforms could handle streaming volume. What they couldn't handle was governance.
The requirements were clear:
Non-negotiable requirements:
- No unauthorized access — only invited users with valid codes can watch
- No recording — prevent screen capture, DevTools, right-click, and F12
- No code sharing — one active session per access code
- Real-time admin visibility — who is watching, when they joined, any issues
- Works on mobile — 90% of viewers watch on phones in portrait mode
- Scalable invitations — bulk SMS, code regeneration, full audit trail
None of the existing platforms could satisfy all six. Custom development was the only path.
Architecture Decision: Build Custom, Integrate Smart
The core principle: don't reinvent what already works at scale. Use proven infrastructure where it exists, build custom where control is needed.
Video Delivery — Amazon IVS
Amazon Interactive Video Service handles low-latency CDN delivery globally. No need to build video encoding infrastructure — plug in, configure, control via backend.
Result: sub-3-second latency, worldwide reliability, without managing a video pipeline.
Backend — Node.js + Express + Prisma + PostgreSQL
Custom authorization logic, session management, WebSocket server, and audit logging all live here. This is where the real security enforcement happens — not at the video layer.
Frontend — Next.js 15 + Amazon IVS Player SDK
App Router architecture for performance. IVS Player SDK embedded and wrapped with custom security controls — watermark overlay, DevTools detection, resolution switching, error recovery.
Authentication & Session Management
The invitation system is the foundation of the entire security model. Get this wrong and everything else breaks.
Phone-based invitation delivery
Admins upload a CSV of phone numbers. System generates unique access codes. Twilio delivers them via SMS with formatted, brand-consistent messages.
JWT-based playback authorization
Each successful login mints a per-session JWT. The IVS playback token is only issued after JWT validation. No valid JWT = no video stream, regardless of URL.
One active session per code
A second login attempt with the same code triggers the Session Takeover Modal. The current viewer gets notified, with device and location info, and 60 seconds to respond. Approve → new device in, old out. Decline → new device sees rejection.
Geolocation enforcement
Login is restricted to a configurable allowlist of countries. Requests from outside that list are rejected at the auth layer before any token is issued.
Multi-Layer Security — 11 Tamper Detection Methods
Security theater is easy. Effective security at a browser level is genuinely hard, because the browser is an open environment.
We built three overlapping detection layers:
Layer 1 — DevTools Protection
- Disabled right-click context menu
- Blocked F12 and Cmd+Opt+I keyboard shortcuts
- Window dimension monitoring — detects when DevTools panel opens and changes viewport size
Layer 2 — Watermark Tamper Detection
A dynamic, personalized watermark is rendered over the video. It cannot simply be hidden or removed:
- MutationObserver watches for any DOM manipulation of the watermark element
- CSS manipulation detection — opacity, visibility, display changes trigger a flag
- Off-screen movement detection — if the element is positioned outside viewport bounds
- Position randomizes periodically to make recording + editing harder
Layer 3 — Session-Level Enforcement
Admin can kick any active session via WebSocket. The viewer receives a real-time notification and the stream stops. Code regeneration immediately terminates all sessions holding the old code — before the new code is distributed.
Security without friction:
All of this runs invisibly for legitimate viewers. Legitimate users load the page, enter their code, and watch. The security architecture only activates when something suspicious is detected.
Real-Time Admin Dashboard
Admins needed complete operational visibility — not a static report, but a live control room.
What the dashboard shows in real time:
Live Statistics
Active viewer count, redemption rate, session status — all updating via WebSocket without a page refresh.
Viewer Management Table
Each row shows: name, phone, join time, device, pulsing green dot for active sessions. Admins can kick sessions, regenerate codes, send direct SMS, or export to CSV inline.
Live Stream Preview
Embedded IVS player with auto-restart detection. If the stream goes IDLE or ENDED, the player polls and automatically reloads when broadcast resumes — no manual refresh needed.
Bulk Operations
CSV import with progress tracking, mass SMS broadcasting with rate limiting (1 msg/sec to respect Twilio quotas), custom message templates.
The Cursor AI Advantage
This project was built almost entirely with Cursor AI as a pair-programming partner. Not for boilerplate — for system design decisions.
Schema design
Discussed trade-offs between normalization approaches for sessions, audit logs, and invite states before writing a single migration.
Authentication flow
The JWT + IVS token chain was designed collaboratively — worked through edge cases like token expiry during an active stream.
Debugging
Watermark positioning across portrait/landscape fullscreen, WebSocket timing issues, IVS player flickering — all resolved through iterative conversation.
Security architecture
Multi-layered tamper detection was designed as a system, not bolted on. Cursor helped reason through what a motivated attacker would try.
Deployment readiness
Removed debug logging, added environment-based configuration flags, and structured audit logging before go-live.
Total build time: 4 weeks. A solo engineer. Production-grade.
This is what AI-assisted development looks like when you use it correctly — not for shortcuts, but for thinking at speed.
Outcome
What shipped:
- ✔ Seamless viewing experience across all devices for legitimate viewers
- ✔ Complete live visibility for admins — who is watching, when they joined, what device
- ✔ Security enforcement without any friction for real users
- ✔ First successful exclusive live event — 10,000+ concurrent viewers
- ✔ Zero unauthorized access incidents
- ✔ 98%+ uptime during critical broadcast windows
- ✔ Scalable foundation ready for future events
Why This Matters
Building a live streaming platform in 4 weeks that handles 10,000+ concurrent viewers, enforces enterprise-grade security, and gives admins real-time operational control — is not a prototype.
It's a production system. Built with a QA mindset: error handling and edge cases designed in from day one, not retrofitted.
This project proves that AI-assisted development is production-ready for enterprise systems — when the engineer behind it understands systems design, security, and what "production-grade" actually means.