Module: Plex
A simple (list navigation focused) Plex client for browsing and playback of content on a CRT TV.
Allows you to view content from any servers and libraries associated with your account. It requires internet access as well as authentication via Plex to function.
Built using Plex's public API: https://developer.plex.tv/pms/
Go to Settings > Plex and set Enabled to On
Browse & Discover
- Supports Movie, TV Show and Other Video Library types (Music and Photo are not currently supported)
- Library, collection, playlist, and category browsing
- Recommendation hubs: Continue Watching, Trending, and Dynamic Recommendations
- Alphabetical jump navigation
- Show/Season browsing
- Movie editions
Playback (through MPV)
- Direct Playback or Transcode options
- Wide codec support (HEVC, AV1, VP9, and more)
- Audio track selection and playback switching
- Subtitle track selection and playback switching
- Progress sync and resume
- Custom MPV OSC/OSD designed for CRT usage
Account
- Pin Auth via plex.tv/link
- Managed account user switch
- Server switching (both managed local and shared remote servers)
- Automatic server connection probing (local → remote → relay fallback) for both local and remote server access
- Library selection
| Option | Values | Info |
|---|---|---|
| Enabled | On/Off | Sets if the Plex module should display in the main module list when you start 240-MP. |
| Current User | Dynamic (based on your account's user list | Displays the list of managed users under your account and allows you to select which user to browse Plex as from that list. |
| Auto Sign In | On/Off | Sets if the browsing will require to select a user each time or to use the current user as its default. |
| Server | Dynamic (based on your account's server list | Displays the list of available servers associated with your plex account (both managed and servers that are shared with you). |
| Libraries | Dynamic (based on the selected server) | Allows you to select which libraries you would like to display when browsing the selected server. |
| Video Quality | Direct Playback and Transcoding Options | Direct playback will stream the video direct from plex to your device. On a Raspberry Pi 4 I've had success with 1080p HEVC files but depending on bitrate your mileage may vary. If you are trying to watch video that a Raspberry Pi can't natively decode then you can use this option to have your server transcode the content before sending to the Raspberry Pi for playback. |
| Resume Playback | Ask/Always |
Ask will present you with an option to restart playback or resume and Always will resume without asking. |
| Sign Out | -- | Signs you out of plex and deauthorizes 240-MP from your account. When you open the Plex module you will be presented with Pin Auth again. |
The Auth method implements Plex's JWT Authentication documented here: https://developer.plex.tv/pms/#section/API-Info/Authenticating-with-Plex
When you sign in to Plex, 240-MP receives an authentication token from Plex's servers and saves it to a file called plex_auth.json in the app's data directory. This token is what allows the app to recognize you and communicate with your Plex server without signing in again each time. The token is stored as-is (not additionally encrypted) and the file is created with owner-only read/write permissions (chmod 600) before the token is written to it.
Why did I set it up this way?
240-MP was built as a personal hobby project for what I thought was a pretty niche use case (i.e. running Plex on a Raspberry Pi through a CRT). I built it to run on a dedicated Pi on a secured local home network. It's not designed for large-scale deployment, multi-user or public network use.
Based on that, the main things that keep your token safe are:
- You physically control the device, and
- It lives on a network you trust.
The chmod 600 permission sits on top of those as an extra layer as it stops other user accounts on the same Pi from reading the file. File permissions don't protect against someone with physical access to the SD card or root on the machine, because they can read any file regardless. For a dedicated appliance you keep at home I thought that was an acceptable trade-off, and it's why I focused on points 1 and 2 most.
I went with OS-level file permissions instead of encryption because, on a headless Pi that boots straight into the app, there's nowhere genuinely "safe" to keep an encryption key. Encryption would only help if the key lived somewhere more protected (a hardware security module, or a passphrase you type at each launch), and neither of those fit the "turn it on and it just works" experience I wanted. It's something I'm open to exploring later, but I chose to keep it simple for now.
It's also worth noting the JWT token has a limited lifetime and refreshes on a rolling basis, and you can revoke 240-MP's access at any time from Plex's authorized device list. So even in a worst case, a token has a bounded life and a kill switch that you control.
What does that mean for you?
240-MP's Plex module only communicates to Plex directly - it has no other communication paths to any other service (the source code for the module is provided to help you validate this). Your token stays protected as long as you keep the following in mind:
- Run your Pi with a real user account and a strong password (modern Raspberry Pi OS already makes you create one during imaging) and if you enable SSH, don't pair it with a weak password.
- Keep your Pi running 240-MP on your local home network.
- Don't share or copy the plex_auth.json file anywhere.
- Remember that SD card backups/images contain the token too — if you image or clone your card to troubleshoot or hand it off, treat that image as if it contains your Plex login.
- If you lose access to your Pi for any reason, de-authorize 240-MP from Plex's authorized device list.
- Music Library support
- Auto-play next episode
- Optimized Version playback
- "Advertise as player" support