Every WebRTC connection starts with a problem: two browsers don’t know how to reach each other. They don’t have each other’s IP addresses. They don’t know what codecs the other side supports. They have no idea which network paths are open through firewalls and NAT devices.
The WebRTC signaling server solves all of that before a single byte of media flows.
WebRTC deliberately doesn’t define how signaling works — the standard leaves that decision to developers. That flexibility is both powerful and confusing. In this guide, you’ll learn what a WebRTC signaling server does, how the SDP offer/answer exchange and ICE candidate process work, how it differs from STUN and TURN servers, which signaling protocol to choose, and how to build a working one with Node.js and Socket.IO.
What Is a WebRTC Signaling Server?
A WebRTC signaling server is a coordination layer that helps two peers exchange the metadata they need to establish a direct peer-to-peer connection. It relays Session Description Protocol (SDP) offers and answers, exchanges ICE (Interactive Connectivity Establishment) candidates, and manages session state — then steps out of the way once the connection is live.
Here’s the key point: the signaling server never handles audio or video data. Its only job is connection setup. Once the two peers are connected, all media flows directly between them, and the signaling server plays no further role in the call.
The EXTLINKWebRTC signaling specification intentionally leaves the signaling transport undefined. That means you can implement it with WebSockets, HTTP long-polling, SIP, XMPP, or any other protocol that can relay messages between clients.
What a signaling server does:
– Connects clients to a shared channel or “room”
– Routes SDP offers from the caller to the callee
– Routes SDP answers from the callee back to the caller
– Relays ICE candidates in both directions
– Notifies peers when a user disconnects
What a signaling server does NOT do:
– Relay audio, video, or data after the connection is established
– Handle NAT traversal directly (that’s the job of STUN and TURN)
– Process or encode media
How WebRTC Signaling Works
The signaling process happens in two stages: the SDP offer/answer exchange, followed by ICE candidate exchange. Both happen through the signaling server before any media can flow.
The SDP Offer/Answer Exchange
SDP stands for Session Description Protocol. An SDP document describes what a peer can send and receive: which audio and video codecs it supports, the media formats, bandwidth constraints, and connection parameters.
The exchange works like this:
- Caller creates an offer — The calling peer calls
createOffer()on itsRTCPeerConnectionobject, generating an SDP document that describes its capabilities. - Caller sets local description — The caller calls
setLocalDescription(offer)to commit the offer locally. - Caller sends offer via signaling — The SDP offer is sent to the signaling server, which routes it to the target peer.
- Callee receives the offer — The callee calls
setRemoteDescription(offer)to register what the caller can do. - Callee creates an answer — The callee calls
createAnswer()to generate a matching SDP that reflects both sides’ capabilities. - Callee sets local description and sends answer — The answer is committed locally and sent back through the signaling server.
- Caller receives the answer — The caller calls
setRemoteDescription(answer), completing the capability negotiation.
At this point, both peers agree on codecs and media parameters — but they still don’t have a working connection path. That’s where ICE comes in.
ICE Candidate Exchange
ICE (Interactive Connectivity Establishment) is the framework that finds the best network route between two peers. During and after the SDP exchange, each peer’s browser generates ICE candidates — potential network paths it could use to receive data.
There are three types of ICE candidates:
| Candidate Type | Description | When Used |
|---|---|---|
| Host | Direct local IP address | Same LAN, no NAT |
| Server Reflexive (SRFLX) | Public IP discovered via STUN server | Most standard internet connections |
| Relay (RELAY) | IP address via TURN server | Symmetric NAT, strict firewalls |
Each ICE candidate gets sent to the signaling server as it’s generated, and the remote peer adds it to its RTCPeerConnection via addIceCandidate(). ICE then tests each candidate pair to find the best working path — direct if possible, relayed through a TURN server if not.
Most WebRTC connections succeed through host or server reflexive candidates, which covers roughly 80% of real-world scenarios. The TURN relay path is the fallback for corporate networks and environments with strict firewall policies.
The Full Signaling Flow
Peer A (Caller) Signaling Server Peer B (Callee)
| | |
|-- createOffer() ---------| |
|-- setLocalDescription() | |
|-- video-offer ---------->|-- video-offer ---------->|
| | setRemoteDescription() |
| | createAnswer() |
| | setLocalDescription() |
|<-- video-answer ----------|<-- video-answer ---------|
| setRemoteDescription() | |
| | |
|-- ICE candidates ------->|-- ICE candidates ------->|
|<-- ICE candidates --------|<-- ICE candidates --------|
| | |
|<========= Direct P2P media connection (signaling server no longer involved) =========>|
Signaling Server vs. STUN Server vs. TURN Server
Developers new to WebRTC often confuse these three server types. They work together but serve completely different purposes.
| Signaling Server | STUN Server | TURN Server | |
|---|---|---|---|
| Purpose | Exchange connection metadata | Find public IP address behind NAT | Relay media when direct connection fails |
| What it handles | SDP, ICE candidates, session state | IP/port discovery | Media streams (audio, video, data) |
| Traffic load | Very low (text messages only) | Very low (short request/response) | High (all media passes through it) |
| Required? | Yes, always | Usually yes | Only as fallback (~15–20% of calls) |
| Active during the call? | No (only during setup) | No | Yes, if being used |
| You must build it? | Yes | No (public options available) | Recommended to run your own |
| Protocol | Any (WebSocket, HTTP, SIP, XMPP) | STUN (RFC 5389) | TURN (RFC 5766) |
All three are typically used together when building a WebRTC application. STUN and TURN are configured in the iceServers array, while the signaling server is a separate WebSocket connection:
const peerConnection = new RTCPeerConnection({
iceServers: [
{ urls: "stun:stun.l.google.com:19302" },
{
urls: "turn:your-turn-server.com:3478",
username: "user",
credential: "password"
}
]
});
The signaling server is the piece you build. STUN and TURN are infrastructure you deploy or source separately.
WebRTC Signaling Protocols
Since the WebRTC spec doesn’t define a signaling protocol, you have several options. Each has different trade-offs for performance, complexity, and compatibility.
| Protocol | Latency | Complexity | Best For |
|---|---|---|---|
| WebSocket | ~1–5ms | Low | Most web and mobile apps, MVPs |
| HTTP Long-Polling | 100–500ms | Low | Simple deployments, legacy environments |
| SIP over WebSocket | Low | High | Telecom/VoIP apps, legacy system integration |
| XMPP/Jingle | Low | Medium–High | Federated chat platforms, decentralized apps |
| MQTT | Very low | Medium | IoT, embedded, low-bandwidth environments |
WebSocket
WebSocket is the standard choice for most WebRTC applications. It’s a persistent, full-duplex TCP connection — ideal for the real-time, bidirectional message flow that signaling requires. Libraries like Socket.IO add room management, reconnection handling, and fallback support on top of the raw WebSocket protocol.
HTTP Long-Polling
Long-polling works by keeping a request open until the server has something to send. It’s simpler to deploy behind standard HTTP infrastructure but adds latency compared to WebSocket. This approach makes sense for simple prototypes or environments where WebSocket connections are blocked, but rarely for production apps.
SIP (Session Initiation Protocol)
SIP is a mature telecom standard used in VoIP systems. Building WebRTC signaling on SIP makes sense when integrating with existing phone systems or when you need enterprise-grade session management. The trade-off is significant complexity — SIP requires specialized server software like Kamailio or FreeSWITCH and a team with telecom experience.
XMPP (Extensible Messaging and Presence Protocol)
XMPP, extended with the Jingle protocol, provides a solid signaling layer for federated messaging applications. If you’re building a chat platform that needs to work across multiple servers or integrate with existing XMPP infrastructure, this approach is worth considering.
For most developers building new WebRTC applications, WebSocket with a custom JSON protocol is the practical choice — fast to build, easy to debug, and flexible enough for any use case.
How to Build a WebRTC Signaling Server with Node.js
Building a basic signaling server takes about 50 lines of Node.js. Here’s a working implementation using Express and Socket.IO.
Prerequisites
npm init -y
npm install express socket.io
Signaling Server (server.js)
const express = require("express");
const http = require("http");
const { Server } = require("socket.io");
const app = express();
const server = http.createServer(app);
const io = new Server(server, {
cors: { origin: "*" }
});
const rooms = {};
io.on("connection", (socket) => {
console.log("Client connected:", socket.id);
// Join a signaling room
socket.on("join-room", (roomId) => {
if (!rooms[roomId]) rooms[roomId] = [];
rooms[roomId].push(socket.id);
socket.join(roomId);
// Notify other peers in the room
socket.to(roomId).emit("peer-joined", socket.id);
});
// Relay SDP offer
socket.on("offer", ({ targetId, sdp }) => {
io.to(targetId).emit("offer", { fromId: socket.id, sdp });
});
// Relay SDP answer
socket.on("answer", ({ targetId, sdp }) => {
io.to(targetId).emit("answer", { fromId: socket.id, sdp });
});
// Relay ICE candidates
socket.on("ice-candidate", ({ targetId, candidate }) => {
io.to(targetId).emit("ice-candidate", { fromId: socket.id, candidate });
});
// Handle disconnection
socket.on("disconnect", () => {
for (const roomId in rooms) {
rooms[roomId] = rooms[roomId].filter((id) => id !== socket.id);
socket.to(roomId).emit("peer-left", socket.id);
}
console.log("Client disconnected:", socket.id);
});
});
server.listen(3000, () => {
console.log("Signaling server running on port 3000");
});
Client-Side Connection (client.js)
import { io } from "socket.io-client";
const socket = io("wss://your-signaling-server.com");
const peerConnection = new RTCPeerConnection({
iceServers: [{ urls: "stun:stun.l.google.com:19302" }]
});
// Join a room
socket.emit("join-room", "room-123");
// When a new peer joins, send them an offer
socket.on("peer-joined", async (peerId) => {
const offer = await peerConnection.createOffer();
await peerConnection.setLocalDescription(offer);
socket.emit("offer", { targetId: peerId, sdp: offer });
});
// Handle incoming SDP offer
socket.on("offer", async ({ fromId, sdp }) => {
await peerConnection.setRemoteDescription(new RTCSessionDescription(sdp));
const answer = await peerConnection.createAnswer();
await peerConnection.setLocalDescription(answer);
socket.emit("answer", { targetId: fromId, sdp: answer });
});
// Handle SDP answer
socket.on("answer", async ({ sdp }) => {
await peerConnection.setRemoteDescription(new RTCSessionDescription(sdp));
});
// Send ICE candidates to the remote peer
peerConnection.onicecandidate = (event) => {
if (event.candidate) {
socket.emit("ice-candidate", {
targetId: targetPeerId,
candidate: event.candidate
});
}
};
// Add incoming ICE candidates
socket.on("ice-candidate", async ({ candidate }) => {
await peerConnection.addIceCandidate(new RTCIceCandidate(candidate));
});
This gives you the minimal signaling logic needed to connect two WebRTC peers. For production, you’ll need to add authentication, room size limits, input validation, and error handling.
Open Source WebRTC Signaling Servers
If you’d rather start from an existing implementation than build from scratch, several open source options are available:
| Project | Language | Transport | Notes |
|---|---|---|---|
| simple_webrtc_signaling_server | Node.js | Socket.IO | Lightweight, good starting point |
| Signalmaster (SimpleWebRTC) | Node.js | Socket.IO | Deprecated — not recommended for new projects |
| Kurento Media Server | Java/Node.js | WebSocket | Full media server with signaling |
| Janus Gateway | C | WebSocket/HTTP | Advanced, includes SFU support |
| mediasoup | Node.js + C++ | WebSocket | High-performance SFU for group calls |
Note that Janus and mediasoup go well beyond pure signaling — they’re full WebRTC server frameworks that include Selective Forwarding Unit (SFU) functionality for handling multi-party calls efficiently. If you’re building WebRTC video conferencing or group calling features, an SFU is more appropriate than a simple peer-to-peer signaling server.
Scaling and Securing Your Signaling Server
A basic signaling server works fine for development. Production deployments require more thought.
Scaling Your Signaling Server
A single Node.js signaling server can handle tens of thousands of concurrent WebSocket connections. For larger deployments, you’ll need:
- Horizontal scaling — Run multiple server instances behind a load balancer with a Redis pub/sub adapter (e.g.,
@socket.io/redis-adapter) so instances share room state - Sticky sessions — Route clients from the same room to the same server instance, or use a stateless architecture with consistent room-based routing
- Geographic distribution — Deploy signaling servers closer to your users to reduce ICE setup latency
The signaling server itself is lightweight. The real scaling challenge in WebRTC is the TURN server — since TURN proxies all media traffic, bandwidth costs grow directly with the number of calls that fall back to relay mode.
Securing Your Signaling Server
Signaling servers are an attack surface worth protecting. Key steps:
- Use WSS — Always run your signaling server over TLS (
wss://), never plain WebSocket (ws://) - Authenticate before joining rooms — Validate JWT tokens or session credentials before allowing a client to participate in signaling
- Rate limiting — Prevent message floods with per-connection rate limits
- Input validation — Validate SDP and ICE candidate data before passing it to clients
- Room access control — Users should only receive messages from peers in their authorized room
What to Monitor
Track these metrics in production to catch issues early:
– Concurrent signaling connections
– Messages per second per connection
– Failed ICE negotiations (high rates indicate TURN server problems)
– Time from offer to media flowing (end-to-end connection setup latency)
Understanding when to build your own signaling server — versus using managed infrastructure — depends on what you’re actually building. The architecture looks very different for a two-party video call versus a live broadcast to thousands of viewers.
Do You Need to Build Your Own Signaling Server?
Not always. Here’s how to decide based on your use case.
Build your own signaling server when:
– You’re building a two-party or small-group video call app (telehealth, interviews, remote assistance)
– You need full control over session management and room logic
– Your use case has strict privacy requirements that rule out third-party services
– You have backend infrastructure already and want to integrate signaling into it
Use a managed WebRTC platform when:
– You’re building at scale and don’t want to separately manage signaling, STUN, TURN, and an SFU
– Your team needs to ship quickly and doesn’t have deep WebRTC expertise
– You want a complete peer connections solution with built-in reliability
Use a live streaming API when:
– You’re building broadcast-style applications (one-to-many, not peer-to-peer)
– Your use case is live events, OTT platforms, or large audiences
– You want ultra-low-latency streaming without building the WebRTC infrastructure layer yourself
The distinction matters: WebRTC peer-to-peer works well for small groups (typically 2–6 participants). For WebRTC live streaming at scale — thousands of viewers watching a single broadcaster — you need a media server or a streaming platform that handles ingest, encoding, and delivery at scale.
WebRTC Signaling in Live Streaming Applications
When you’re building a one-to-many live streaming application, the signaling architecture looks different from a two-party video call.
In a broadcast setup:
– The publisher (broadcaster) connects to a media server or ingest endpoint — not directly to viewers
– The media server handles fanout, delivering streams to large audiences over HLS, RTMP, or adaptive bitrate streaming protocols
– Signaling happens between the publisher and the ingest endpoint, not between all participants
For broadcast-scale applications, platforms like LiveAPI replace the need to build and maintain your own signaling server, STUN/TURN infrastructure, media server, encoding pipeline, and CDN for live streaming. You connect via RTMP or SRT protocol ingest, and LiveAPI handles encoding, packaging into HLS, and delivery through Akamai, Cloudflare, or Fastly.
If you need sub-second latency for interactive broadcast use cases — viewers who react in near real-time — LiveAPI supports this through its low-latency HLS delivery infrastructure, and you can compare protocol options in the WebRTC vs RTMP guide.
For developers building peer-to-peer WebRTC features (video calls, screen sharing, data channels), you’ll still need your own signaling server. But for live broadcasts to large audiences, a managed live streaming API removes the signaling complexity entirely.
WebRTC Signaling Server FAQ
Does WebRTC require a signaling server?
Yes. WebRTC has no built-in peer discovery mechanism. The signaling server is what allows two clients to exchange the SDP and ICE information needed to establish a direct connection. Without it, peers can’t start the offer/answer process, and no connection can form.
Can I use Firebase as a WebRTC signaling server?
Yes. Firebase Realtime Database or Firestore can act as a signaling layer — clients write SDP and ICE candidate documents to a shared path, and both peers listen for changes. It’s a fast way to get signaling working without running your own server, though you lose control over message ordering and latency compared to a WebSocket-based approach.
What’s the difference between a signaling server and a TURN server?
A signaling server relays setup messages (SDP, ICE candidates) only during connection establishment, then plays no further role. A TURN server relays actual media streams when a direct peer-to-peer path can’t be established — typically due to symmetric NAT or strict corporate firewalls. Both are needed for reliable WebRTC connections, but they handle completely different types of traffic at different points in the call lifecycle.
How does NAT traversal relate to signaling?
NAT traversal is the process ICE uses to find a working connection path between peers sitting behind different routers or firewalls. The signaling server carries the ICE candidates that make NAT traversal possible — it’s the channel through which peers exchange candidate addresses. The actual traversal work is done by ICE, STUN, and TURN; the signaling server just routes the messages.
What happens to the signaling server once a call is active?
Once both peers have established their RTCPeerConnection and media is flowing, the signaling server is no longer in the call path. It stays connected for session management purposes — detecting disconnections, handling renegotiation if network conditions change — but it doesn’t carry any audio or video data.
Can a single signaling server handle thousands of users?
A Node.js Socket.IO server can handle tens of thousands of concurrent WebSocket connections on a single instance. For larger deployments, run multiple instances with a Redis pub/sub adapter to share room state across nodes. The signaling server is lightweight — bandwidth use is minimal since it only routes small JSON messages. The real capacity bottleneck in WebRTC is usually TURN server bandwidth, not signaling.
What is SDP in WebRTC signaling?
SDP (Session Description Protocol) is a text-based format that describes media session parameters: which codecs each peer supports, the format of audio and video tracks, network addresses, and bandwidth constraints. In WebRTC, the SDP offer/answer exchange through the signaling server is how two peers negotiate compatible media settings before connecting. Without agreeing on a shared codec and format, the RTCPeerConnection can’t establish media flow.
How do I secure a WebRTC signaling server in production?
Run the server over WSS (WebSocket Secure) using TLS — never plain WebSocket. Add token-based authentication before allowing clients to join rooms. Apply per-connection rate limiting to block message floods. Validate all incoming SDP and ICE data. Enforce room-based access control so peers only receive messages from participants in their authorized session.
What is the difference between a signaling server and an SFU?
A signaling server handles only the initial connection negotiation — exchanging SDP and ICE candidates. A Selective Forwarding Unit (SFU) is a media server that sits in the middle of a multi-party call, receiving streams from each participant and selectively forwarding them to others. SFUs are used for group video calls with more than 2–4 participants where a full mesh peer-to-peer topology becomes inefficient. You need both: a signaling server to set up connections to the SFU, and the SFU itself to handle media routing. For video streaming servers at broadcast scale, a different architecture applies entirely.
Build Real-Time Video Without the Infrastructure Complexity
A WebRTC signaling server is the entry point to real-time communication — but it’s just one piece of a larger infrastructure puzzle. For peer-to-peer video calls, you’ll also need STUN and TURN servers, an SFU for group calls, and a solid grasp of ICE, SDP, and NAT traversal to keep connections reliable.
If you’re building live broadcast features — streaming to large audiences rather than connecting small groups of peers — you can skip most of this infrastructure work. Get started with LiveAPI to stream live video at up to 4K quality, with RTMP and SRT ingest, adaptive bitrate delivery, and global CDN distribution through Akamai, Cloudflare, and Fastly.
