Signed URLs and Token Auth with a Live Stream

In this topic, you will learn about using signed URLs and token auth to prevent end users from being able to play back your live stream without proper authorization.

Overview

If you are delivering premium or confidential content, you will be looking for all ways to ensure it remains secure. You do not want end users to be able to copy video URLs or continue to play back content without the proper authorization. Brightcove supports signing of RTMP, HLS, and DASH URLs.

If you will be generating your own token, there is one step to this process. If you want the Live system to generate a tokenized URL, there are two steps, detailed in the sections that follow, required to enable token authentication for live streams.

Implementation

Step 1: Creating the live job

To enable token authentication, include the following in the request body when you create a job:

  "add_cdns": [{
    "label": "My CDN",
    "prepend": "mycdn-a.akamaihd.net",
    "protocol": "https",
    "vendor": "akamai",
    "token_auth": {
      "auth_type": "Akamai2.0",
      "key": "AKAMAI_TOKEN_PASSWORD",
      "token_name": "AKAMAI_TOKEN_NAME",
      "media": {
        "start_time": "now",
        "ttl": 600
      }
    }
  }]

The relevant fields are described in the following table:

TTL Fields for Live Jobs
Field Value
start_time either now or a unix/posix start time
ttl number in seconds for time to live
end_time unix/posix end time

Optionally, specify the playlist properties in the request body:

	"add_cdns": [{
		"label": "My CDN",
		"prepend": "mycdn-a.akamaihd.net",
		"protocol": "https",
		"vendor": "akamai",
		"token_auth": {
		  "auth_type": "Akamai2.0",
		  "key": "AKAMAI_TOKEN_PASSWORD",
		  "token_name": "AKAMAI_TOKEN_NAME",
		  "media": {
			"start_time": "now",
			"ttl": 600
		  },
		  "media_playlist": {
			"start_time": "now",
			"ttl": 3600
		  },
		  "master_playlist": {
			"start_time": "now",
			"ttl": 3600
		  }
		}
	  }]

The relevant fields are described in the following table:

Playlist properties fields for Live Jobs
Field Value
media media segment authorization.
media_playlist media playlist authorization, defaults to indefinite.
master_playlist master playlist (start URL) authorization, defaults to media.

Step 2: After the live job is created

After the live job is created, you need to make another request to generate the master manifest URLs. To do this, send a POST request to:

  https://api.bcovlive.io/v1/jobs/JOB_ID/authurls

Include the following JSON as the request body:

  {
    "ttl": number in seconds for time to live
  }

Notes

  • The ttl value for both steps above should be equal to or greater than the DVR window - otherwise the DVR window will be limited to the ttl value
  • Both http and https are supported
  • The token_name must be 5-12 characters and must match what is configured in Akamai
  • start_time is optional and can be "now" (the default) or an epoch time value in seconds
  • end_time is optional and can be an epoch time value in seconds - either end_time or ttl is required; if not specified, ttl is assumed to be the greater of live_dvr_sliding_window_duration and vod_sliding_window_duration

Limitations

Currently, several live features do not support Token Auth. These include:

  • Live Redundancy
  • DRM-HLS Fairplay
  • DRM-HLS Widevine
  • Clear DASH
  • DRM-DASH Widevine
  • DRM-DASH PlayReady
  • All of the above with SSAI