Scroll to navigation



turnadmin is a TURN administration tool. This tool can be used to manage the user accounts (add/remove users, generate TURN keys for the users). For security reasons, we do not recommend storing passwords openly. The better option is to use pre-processed "keys" which are then used for authentication. These keys are generated by turnadmin. Turnadmin is a link to turnserver binary, but turnadmin performs different functions.

Options note: turnadmin has long and short option names, for most options. Some options have only long form, some options have only short form. Their syntax somewhat different, if an argument is required:

The short form must be used as this (for example):

$ turnadmin -u <username> ...
The long form equivalent must use the "=" character:

$ turnadmin --user=<username> ...
If this is a flag option (no argument required) then their usage are the same, for example:

$ turnadmin -k ...
is equivalent to:

$ turnadmin --key ...
You have always the use the -r <realm> option with commands for long term credentials - because data for multiple realms can be stored in the same database.



turnadmin - a TURN relay administration tool.


$ turnadmin [command] [options]
$ turnadmin [ -h | --help]



Generate and print to the standard output an encrypted form of a password (for web admin user or CLI). The value then can be used as a safe key for the password storage on disk or in the database. Every invocation for the same password produces a different result. The format of the encrypted password is: $5$<...salt...>$<...sha256(salt+password)...>. Salt is 16 characters, the sha256 output is 64 characters. Character 5 is the algorithm id (sha256). Only sha256 is supported as the hash function.
Generate key for a long-term credentials mechanism user.
Add or update a long-term user.
Add or update an admin user.
Delete a long-term user.
Delete an admin user.
List long-term users in the database.
List admin users in the database.

-s, --set-secret=<value> Add shared secret for TURN REST API

Show stored shared secrets for TURN REST API

-X, --delete-secret=<value> Delete a shared secret.

Delete all shared secrets for REST API.
Add origin-to-realm relation.
Delete origin-to-realm relation.
List origin-to-realm relations.
Set realm params: max-bps, total-quota, user-quota.
List realm params.
Generate and print to the standard output an encrypted form of password with AES-128

Options with required values:

SQLite user database file name (default - /var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb). See the same option in the turnserver section.
PostgreSQL user database connection string. See the --psql-userdb option in the turnserver section.
MySQL user database connection string. See the --mysql-userdb option in the turnserver section.
MongoDB user database connection string. See the --mysql-mongo option in the turnserver section.
Redis user database connection string. See the --redis-userdb option in the turnserver section.
User name.
Generates a 128 bit key into the given path.
Contains a 128 bit key in the given path.
Verify a given base64 encrypted type password.
Set value of realm's max-bps parameter.
Set value of realm's total-quota parameter.
Set value of realm's user-quota parameter.

Command examples:

Generate an encrypted form of a password:

$ turnadmin -P -p <password>

Generate a key:

$ turnadmin -k -u <username> -r <realm> -p <password>

Add/update a user in the in the database:

$ turnadmin -a [-b <userdb-file> | -e <db-connection-string> | -M <db-connection-string> | -N <db-connection-string> ] -u <username> -r <realm> -p <password>

Delete a user from the database:

$ turnadmin -d [-b <userdb-file> | -e <db-connection-string> | -M <db-connection-string> | -N <db-connection-string> ] -u <username> -r <realm>

List all long-term users in MySQL database:

$ turnadmin -l --mysql-userdb="<db-connection-string>" -r <realm>

List all admin users in Redis database:

$ turnadmin -L --redis-userdb="<db-connection-string>"

Set secret in MySQL database:

$ turnadmin -s <secret> --mysql-userdb="<db-connection-string>" -r <realm>

Show secret stored in PostgreSQL database:

$ turnadmin -S --psql-userdb="<db-connection-string>" -r <realm>

Set origin-to-realm relation in MySQL database:

$ turnadmin --mysql-userdb="<db-connection-string>" -r <realm> -o <origin>

Delete origin-to-realm relation from Redis DB:

$ turnadmin --redis-userdb="<db-connection-string>" -o <origin>

List all origin-to-realm relations in Redis DB:

$ turnadmin --redis-userdb="<db-connection-string>" -I

List the origin-to-realm relations in PostgreSQL DB for a single realm:

$ turnadmin --psql-userdb="<db-connection-string>" -I -r <realm>

Create new key file for mysql password encryption:

$ turnadmin -E --key-path <key-file>

Create encrypted mysql password:

$ turnadmin -E --file-key-path <key-file> -p <secret>

Verify/decrypt encrypted password:

$ turnadmin --file-key-path <key-file> -v <encrypted>


$ turnadmin -h



After installation, run the command:

$ man turnadmin

or in the project root directory:

$ man -M man turnadmin

to see the man page.















turnserver, turnutils



project page:

Wiki page:




Oleg Moskalenko <>

Gabor Kovesdan

Daniel Pocock

John Selbie (

Lee Sylvester <>

Erik Johnston <>

Roman Lisagor <>

Vladimir Tsanev <>

Po-sheng Lin <>

Peter Dunkley <>

Mutsutoshi Yoshimoto <>

Federico Pinna <>

Bradley T. Hughes <>

Mihály Mészáros <>


Mihály Mészáros <>

10 January 2021