Signed URLs and Token Auth with a Live Stream

In this topic, you will learn about using signed URLs and token auth to prevent end users from being able to play back your live stream without proper authorization.

Overview

If you are delivering premium or confidential content, you will be looking for all ways to ensure it remains secure. You do not want end users to be able to copy video URLs or continue to play back content without the proper authorization. Brightcove supports signing of RTMP, HLS, and DASH URLs.

If you will be generating your own token, there is one step to this process. If you want the Live system to generate a tokenized URL, there are two steps, detailed in the sections that follow, required to enable token authentication for live streams.

Implementation

Step 1: Creating the live job

To enable token authentication, include the following in the request body when you create a job:

  "add_cdns": [{
    "label": "My CDN",
    "prepend": "mycdn-a.akamaihd.net",
    "protocol": "https",
    "vendor": "akamai",
    "token_auth": {
      "auth_type": "Akamai2.0",
      "key": "AKAMAI_TOKEN_PASSWORD",
      "token_name": "AKAMAI_TOKEN_NAME",
      "media": {
        "start_time": "now",
        "ttl": 600
      }
    }
  }]

The relevant fields are described in the following table:

TTL Fields for Live Jobs
Field	Value
`start_time`	either `now` or a unix/posix start time
`ttl`	number in seconds for time to live
`end_time`	unix/posix end time

The media authentication properties require either the end_time or ttl to be specified. However, providing both is unsupported. This does not produce an error, but the ttl will be checked first, and the end_time will be ignored.

Optionally, specify the playlist properties in the request body:

	"add_cdns": [{
		"label": "My CDN",
		"prepend": "mycdn-a.akamaihd.net",
		"protocol": "https",
		"vendor": "akamai",
		"token_auth": {
		  "auth_type": "Akamai2.0",
		  "key": "AKAMAI_TOKEN_PASSWORD",
		  "token_name": "AKAMAI_TOKEN_NAME",
		  "media": {
			"start_time": "now",
			"ttl": 600
		  },
		  "media_playlist": {
			"start_time": "now",
			"ttl": 3600
		  },
		  "master_playlist": {
			"start_time": "now",
			"ttl": 3600
		  }
		}
	  }]

The relevant fields are described in the following table:

Playlist properties fields for Live Jobs
Field	Value
`media`	media segment authorization.
`media_playlist`	media playlist authorization, defaults to indefinite.
`master_playlist`	master playlist (start URL) authorization, defaults to `media`.

Note that smaller authorization windows can cause playback failures when clients cache playback URLs, particularly the media_playlist.

Step 2: After the live job is created

After the live job is created, you need to make another request to generate the master manifest URLs. To do this, send a POST request to:

  https://api.bcovlive.io/v1/jobs/JOB_ID/authurls

Include the following JSON as the request body:

  {
    "ttl": number in seconds for time to live
  }

Notes

The ttl value for both steps above should be equal to or greater than the DVR window - otherwise the DVR window will be limited to the ttl value
Both http and https are supported
The token_name must be 5-12 characters and must match what is configured in Akamai
start_time is optional and can be "now" (the default) or an epoch time value in seconds
end_time is optional and can be an epoch time value in seconds - either end_time or ttl is required; if not specified, ttl is assumed to be the greater of live_dvr_sliding_window_duration and vod_sliding_window_duration

Limitations

Currently, several live features do not support Token Auth. These include:

Live Redundancy
DRM-HLS Fairplay
DRM-HLS Widevine
Clear DASH
DRM-DASH Widevine
DRM-DASH PlayReady
All of the above with SSAI