Enable URL (token) signing


The JWP dashboard and the Platform API contain a security feature that enables you to lock down public access to videos and/or players. When either videos or players are secured, they can only be requested through so-called signed URLs. These URLs are valid for a short time, so people stealing your video or embed codes will soon end up with broken links.


🚧

Enabling any URL Signing option below will prevent video playback on JW Showcase websites1.

This limitation does not apply to the hosted version of the ott-web-app, which is the successor of Showcase. Please contact your Account Manager for more information.

1 Support for JW Showcase will cease on 31 December 2023. You must transition any existing JW Showcase implementations to the Web App framework.



URL signing overview

URL Signing is a very common content protection mechanism and essentially works as follows:

  • You calculate a signature based on the required expiration time, the path of the link, and the secret key of your account.
  • In the video request to our content server, you send us the path of the link, the required expiration time, and the signature that you generated.
  • JWP servers know your secret key as well. A signature is calculated based on the path of the link, the expiration time, and your secret key.
  • If the signature that we calculated is the same as the one you sent us, and the expiration time is still in the future, our content server will then serve up the content that was requested.
  • If the signature doesn't match or the timestamp is outdated, we deny the request.


URL signing options

The following table describes the multiple ways to secure your videos and players.

OptionDescription
No URL signing enabled(Default) This is the lowest security setting. Anybody can download your content and embed your player on their website.

This setting is great if you wish to make your content viral, for example, by using implementing social sharing.
Secure Video URLs ONWith this setting, anyone will still be able to embed your player into their website, but people will not be able to link to your MP4 videos. This means people cannot just download or deep-link to your MP4 videos.

If you do wish to make download links available, you will have to generate a signed URL. Note that this option only applies to MP4 videos. For HLS streams, see below.
Secure Player Embeds & HLS Playlists ONUse this setting if you want to lock down embedding of your players and protect your HLS playlists. You need to have a piece of code on your website to dynamically generate signed player and HLS (.m3u8) links.
Secure Video URLs and Secure Player Embeds & HLS Playlists both ONThis is the tightest setting. MP4 video download links, player embed codes and HLS playlists links need to be signed in order to work.

Secure signing behavior

The following table lists the content and players that are protected when only Secure Video URLs is ON, Secure Player Embed & HLS Playlists is ON, or both protections are ON.


Click to expand the secure signing table key

The table below allows you to check content types against their required protection status in the secure signing table.

Icon Description
X
No signing required
βœ“
Signing required
βœ“-
Signing required, but signed link in response not required
βœ“+
Signing and signed link in response required


ContentSecure Video URLs EnabledSecure Player Embeds & HLS Playlist EnabledBoth Enabled
Feeds (.js/.rss) & Playlists (.js/.rss)βœ“N/Aβœ“+
HLS playlists (.m3u8)Xβœ“βœ“
MPEG-DASH manifests (.mpd)Xβœ“βœ“
Progressive Videos (.mp4, JWP-hosted)βœ“N/Aβœ“+
Playlist and media objects/feeds (metadata)XXX
Cloud-hosted player librariesN/Aβœ“-βœ“+
Single-line embed playersN/Aβœ“-βœ“+
Images, text tracksXXX


Enabling URL signing

To enable URL signing on your media content and players, you must complete two general processes:

  1. Create signed (non-JWT or JWT) URLs.
  2. Enable URL signing functionality

Since creating signed URLs is a technical process, we strongly advise working with a developer to protect your content with signed URLs.



FAQ

Does URL token signing work the same for JWP hosted and externally hosted (registered) media?

No.

For JW Platform hosted media, both the request to the Delivery API and all media URLs will be signed.

For externally hosted (registered) media, only the request to the Delivery API and the returned media URL will be signed. The signed media URL from the Delivery API response will redirect (HTTP status code 302) to the externally hosted media URL. JW Platform will not sign the externally hosted media URL.