support Contact Support | system status System Status
Page Contents

    Signed URLs and Token Auth with a Live Stream

    In this topic, you will learn about using signed URLs and token auth to prevent end users from being able to play back your live stream without proper authorization.

    Overview

    If you are delivering premium or confidential content, you will be looking for all ways to ensure it remains secure. You do not want end users to be able to copy video URLs or continue to play back content without the proper authorization. Brightcove supports signing of RTMP, HLS, and DASH URLs.

    If you will be generating your own token, there is one step to this process. If you want the Live system to generate a tokenized URL, there are two steps, detailed in the sections that follow, required to enable token authentication for live streams.

    Implementation

    Step 1: Creating the live job

    To enable token authentication, include the following in the request body when you create a job:

      "add_cdns": [{
        "label": "My CDN",
        "prepend": "mycdn-a.akamaihd.net",
        "protocol": "https",
        "vendor": "akamai",
        "token_auth": {
          "auth_type": "Akamai2.0",
          "key": "AKAMAI_TOKEN_PASSWORD",
          "token_name": "AKAMAI_TOKEN_NAME",
          "media": {
            "start_time": "now",
            "end_time": 1495697388,
            "ttl": 60
          }
        }
      }]

    The relevant fields are described in the following table:

    TTL Fields for Live Jobs
    Field Value
    start_time either now or a unix/posix start time
    end_time unix/posix end time
    ttl number in seconds for time to live

    Step 2: After the live job is created

    After the live job is created, you need to make another request to generate the master manifest URLs. To do this, send a POST request to:

      https://api.bcovlive.io/v1/jobs/JOB_ID/authurls

    Include the following JSON as the request body:

      {
        "ttl": number in seconds for time to live
      }

    Notes

    • The ttl value for both steps above should be equal to or greater than the DVR window - otherwise the DVR window will be limited to the ttl value
    • Both http and https are supported
    • The token_name must be 5-12 characters and must match what is configured in Akamai
    • start_time is optional and can be "now" (the default) or an epoch time value in seconds
    • end_time is optional and can be an epoch time value in seconds - either end_time or ttl is required; if not specified, ttl is assumed to be the greater of live_dvr_sliding_window_duration and vod_sliding_window_duration

    Page last updated on 13 Oct 2020