Secure playback - Visionular

In this guide you will learn how to use signed URLs for securing playback.

Playback ID has two types - public and signed. Public video playback URLs can be watched anywhere, any time, without any restrictions. Signed playback URLs, on the other hand, include JSON Web Token (JWT) that are signed server-side by your application. It should be noted that if no playback policy is specified, the default value is 'public.' If specified, a maximum of 20 playback policies are supported.

Follow these steps to create signed URLs:

Step 1. Create a Live Stream with a signed playback policy

When creating a live stream, the policy parameter is signed.

// POST https://api.visionular.com/live/v1/live-streams

{
    "policy"："signed"
}

Step 2. Create the signing key

Signing keys can be created from the AuroraLive API. When creating a new signing key, the API generates a 2048-bit RSA key-pair and returns the private key and a generated key-id. Securely store the private key for signing the token, and AuroraLive stores the public key to validate the signed tokens.

See Create a URL signing key API for full documentation.

// POST https://api.visionular.com/live/v1/signing-keys

{
  "code": 0,
  "data": {
    "private_key": "(base64-encoded PEM file with private key)",
    "id": "(unique signing-key identifier)",
    "created_at": "(UNIX Epoch seconds)”
  },
    "message": "success",
    "request_id": "c749ff23-9b69-4cf0-a99c-4c6c5fc62bdc"
}

Step 3. Generate a JSON Web Token (JWT)

All signed requests have a JWT with the following payloads:

payload	Description	Value
sub	Subject of the JWT	playback ID
aud	Audience	The specified value is v
exp	Expiration time	UNIX Epoch seconds when the token expires
kid	Key Identifier	Key ID returned when signing key was created

Step 4. Sign the JSON Web Token (JWT)

The steps can be summarized as:

Load the private key used for signing
Assemble the payloads (sub, exp, kid, aud, etc) in a map
Encode and sign the JWT using the payloads map and private key and the RS256 algorithm.

Examples Golang

package main

import (
    "encoding/base64"
    "fmt"
    "log"
    "time"

    "github.com/dgrijalva/jwt-go"
)

func main() {

    playbackId := "" // Enter your signed playback id here
    keyId := ""      // Enter your signing key id here
    key := ""        // Enter your base64 encoded private key here

    decodedKey, err := base64.StdEncoding.DecodeString(key)
    if err != nil {
        log.Fatalf("Could not base64 decode private key: %v", err)
    }

    signKey, err := jwt.ParseRSAPrivateKeyFromPEM(decodedKey)
    if err != nil {
        log.Fatalf("Could not parse RSA private key: %v", err)
    }

    token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims{
        "sub": playbackId,
        "aud": "v",
        "exp": time.Now().Add(time.Minute * 15).Unix(),
        "kid": keyId,
    })

    tokenString, err := token.SignedString(signKey)
    if err != nil {
        log.Fatalf("Could not generate token: %v", err)
    }

    fmt.Println(tokenString)
}

Step 5. Include the JSON Web Token (JWT) in the playback URL

Playback URL example:

https://stream.visionular.com/{playback_id}.m3u8?token={token}