batondocs← SiteSign in
Getting started/Concepts

Concepts: STUN vs TURN

A relay is a fallback, not the default path. Understanding when WebRTC actually uses one — and why Baton returns several transport URLs at once — explains everything else in these docs.

STUN — find your public address

STUN lets a client discover its own public IP and port as seen from the internet (a server-reflexive, or srflx, candidate). When both peers can reach each other directly, that's the whole job: media flows peer-to-peer and no relay is involved. STUN is cheap and stateless.

STUNPeer Abehind NATPeer Bremotewhat's my public IP?direct media
Each peer asks STUN for its public address, then they connect directly — peer-to-peer, no relay.

TURN — relay when direct fails

When a symmetric NAT, a deny-all firewall, or a corporate proxy blocks a direct path, the peers can't connect on their own. TURN provides a relay: both peers send media to the relay, and it forwards packets between them. That produces a relay candidate. Relaying costs bandwidth, so it's only used when it has to be.

Peer Abehind NATPeer BfirewalledBaton relaydirect blocked
The direct path is blocked, so media flows through the relay — both peers reach Baton, and it forwards packets between them.

When is a relay actually used?

For most consumer networks, direct or STUN-assisted connections succeed and no relay is needed. A relay typically carries roughly 10–25% of connections — the ones behind hard NATs, mobile carrier-grade NAT, or restrictive enterprise and hospital firewalls. Those are exactly the connections that fail silently without a working TURN server, which is why the relay has to be dependable even though it's the minority path.

direct & STUN-assisted needs TURN relay

The relay is the minority path — but it's the one that fails silently without a dependable TURN server.

Why several transport URLs come back

A single credential request returns multiple URLs so the browser's ICE agent can try them in parallel and keep whichever connects first:

ICE agenttries in parallelstun:3478 — direct, no relayturn:3478?transport=udp — preferred relayturn:3478?transport=tcp — UDP-blocked fallbackturns:443?transport=tcp — TLS, beats strict firewalls
You hand over all four; ICE races them and keeps whichever connects first.
URLWhat it does
stun:…:3478Gather server-reflexive candidates and connect directly when possible — no relay.
turn:…:3478?transport=udpPreferred relay path: lowest latency, best media quality.
turn:…:3478?transport=tcpFallback when UDP is blocked on the network.
turns:…:443?transport=tcpTURN over TLS on 443 — looks like ordinary HTTPS and traverses strict DPI and deny-all corporate / hospital firewalls. The endpoint that matters most for enterprise clients.

You don't choose between these — you hand the whole array to the client and let ICE negotiate. See the API reference for the exact response.