Enable URL (token) signing


The JWP dashboard and the Platform API contain a security feature that enables you to lock down public access to videos and/or players. When either videos or players are secured, they can only be requested through so-called signed URLs. These URLs are valid for a short time, so people stealing your video or embed codes will soon end up with broken links.


🚧

Enabling any URL Signing option below will prevent video playback on JW Showcase websites.

This limitation does not apply to the hosted version of the ott-web-app, which is the successor of Showcase. Please contact your Account Manager for more information.



URL signing overview

URL Signing is a very common content protection mechanism and essentially works as follows:

  • You calculate a signature based on the required expiration time, the path of the link, and the secret key of your account.
  • In the video request to our content server you send us the path of the link, the required expiration time and the signature that you generated.
  • We know your secret key too, so we calculate a signature based on the path of the link, the expiration time and your secret key.
  • If the signature that we calculated is the same as the one you sent us, and the expiration time is still in the future, our contentserver will then serve up the content that was requested.
  • If the signature doesn't match, or the timestamp is outdated, we deny the request.


URL signing options

The following table describes the multiple ways to secure your videos and players.

OptionDescription
No URL signing enabled(Default) This is the lowest security setting. Anybody will be able to download your content and embed your player on their website. This setting is great if you wish to make your content viral, for example, by using implementing social sharing.
Secure Video URLs ONWith this setting anyone will still be able to embed your player into their website, but people will not be able to link to your MP4 videos. This means that people cannot just download and/or deep-link to your MP4 videos. If you do wish to make download links available, you will have to generate a signed URL. Note that this option only applies to MP4 videos. For HLS streams, see below.
Secure Player Embeds & HLS Playlists ONUse this setting if you want to lock down embedding of your players and protect your HLS playlists. You need to have a piece of code on your website to dynamically generate signed player and HLS (.m3u8) links.
Secure Video URLs and Secure Player Embeds & HLS Playlists both ONThis is the tightest setting. MP4 video download links, player embed codes and HLS playlists links need to be signed in order to work.

The following table lists the content and players that are protected when only Secure Video URLs is ON, Secure Player Embed & HLS Playlists is ON, or both protections are ON.

Secure Video URLs EnabledSecure Player Embeds & HLS Playlists EnabledBoth Options Enabled
Feeds (.js/.rss)
(requires signing)

HLS playlists (.m3u8)
(DOES NOT require signing)

MPEG-DASH manifests (.mpd)
(DOES NOT require signing)

Playlists (.js/.rss)
(requires signing)

Progressive Videos (.mp4, JWP-hosted)
(requires signing)
Cloud-hosted player libraries
(requires signing, but DOES NOT require signed links in the response)

HLS playlists (.m3u8)
(requires signing)

MPEG-DASH manifests (.mpd)
(requires signing)

Single-line embed players
(requires signing, but DOES NOT require signed links in the response)
Cloud-hosted player libraries
(requires signing AND signed links in the response)

Feeds (.js/.rss)
(requires signing AND signed links in the response)

HLS playlists (.m3u8)
(requires signing)

MPEG-DASH manifests (.mpd)
(requires signing)

Playlists (.js/.rss)
(requires signing AND signed links in the response)

Progressive Videos (.mp4, JWP-hosted)
(requires signing AND signed links in the response)

Single-line embed players
(requires signing AND signed links in the response)


Enabling URL signing

To enable URL signing on your media content and players, you must complete two general processes:

  1. Create signed (non-JWT or JWT) URLs.
  2. Enable URL signing functionality

Since creating signed URLs is a technical process, we strongly advise working with a developer to protect your content with signed URLs.