After reading the doc here: https://github.com/Haivision/srt/blob/master/docs/AccessControl.md
I have more clarity on the scheme
Here are my updated thoughts based on the doc above:
This is what I need and the passphrase in my thinking would be a signed token generated after the user authenticates via web/https path by entering their username and password into a web app that returns the signed token (that will be the passphrase that I would set on the socket once stream_id gives me the username.) The signed token/passphrase has an expiration time in my case and can be re-generated by before expiration (on server side upon client request) and sent to the publisher, set on the socket once again, sent by publisher with the SRT data, and checked by this SRT library to allow/deny the connection.
The idea of the SRT callback for verifying user is authenticated via token/passphrase is perfect. My only thought about it is that it probably should have an expiration time and it should be digitally signed. If it does have an expiration time then we need to be able to renew it while the stream is live and in progress. If it's not renewed and it expires the stream should be interrupted but it can have any expiration period like 2 hours or more. Alternatively, the expiration of the passphrase/token should not terminate any live stream in progress but should disallow it from being used for a new connection.
I don't have much knowledge of PSK encryption, or how you'd prove that the expiration date in the passphrase hasn't been modified. If the password doesn't expire then it's akin to a hashed password, and that's totally fine if MITM attack scenario (to steal the token) is not possible or not in scope for this feature.