Wowza (Standalone)

Learn how to use Wowza Media Systems to package your media for Studio DRM.

Wowza Media Systems (Wowza) is a streaming solutions provider. Encryption keys requested and retrieved through any supported key provider API are compatible with Wowza.

Configure Wowza

Use the following steps to configure Wowza to support Studio DRM:

  1. Stop Wowza from appending the session ID to the license server URL.
  2. Change the EXT-X-VERSION for HLS stream to 5.
  3. Set the Studio DRM settings:
    ย ย ย โ€ข HLS
    ย ย ย โ€ข MPEG-DASH

    Widevine, PlayReady, and FairPlay key values can be set in the same file.


You can also use the Studio DRM Wowza API to set the keys.

Studio DRM Wowza API

The Studio DRM Wowza API is a small Docker web API application which runs on the Wowza server, allowing the provisioning of keyfiles through a simple REST interface.

The Studio DRM Wowza has been tested with Wowza Streaming Engine version 4.7.7.

In the following example, the API is exposed on port 9000 and the API key is set to a GUID.

docker run -d --restart always -p 9000:80 \
           -e WOWZADRMAPI_APIKEY=93640045-31f1-45c0-aa0d-b5682d7c9ac8 \
           -e WOWZADRMAPI_KEYFILESPATH=/mnt/keyfiles \
           -v [wowza-install-dir]/keys:/mnt/keyfiles \
           --name wowza-drm-api vualto/wowza-drm-api:1.0.0


All requests to the API must be authorized with an x-api-key header whose value must match that set by the WOWZADRMAPI_APIKEY environment variable. A missing or mismatched x-api-key header will yield a 401 Unauthorized status.

Retrieve contents of Wowza stream keyfile


Returns the contents of the keyfile for the specified Wowza stream if it exists
A 404 error is returned if the Wowza stream does not exist.

Path Parameter

Parameter Description
streamid ID of the stream to protect

This is the name of the .key file created on the server

Create a Wowza stream keyfile


Creates or overwrites the keyfile for the Wowza stream
Keys can be supplied either automatically using the Studio DRM Key Provision Services or manually.


curl -X POST /api/keyfile/{streamid} \
     -H 'API-KEY: {api_key}'\
     -d '{}'

Path Parameter

Parameter Description
streamid ID of the stream to protect

This is the name of the .key file created on the server

Body Parameter

    "cenc": {
        "keyid": "RNpS70UjCY5oVHd+4yJoHQ==",
        "contentkey": "lnA03mLuxnL3toiRMxV4Zw=="
    "playready": {
        "laurl": "",
        "checksum": "pcTs6CEp98A="
    "widevine": {
        "psshdata": "IiRkN2EyOTk1Ni0yOTgwLTQzMzgtYjYyNy04N2MxZjA3OWUwOTFI49yVmwY="
    "fairplay": {
        "key": "CBF76BB43B9A54254A5FC20074A3A53B",
        "iv": "1A3F2AA76D84742DD123E3E50E7BC681",
        "laurl": "skd://"
    "contentId": "mycontentid",
    "client": "my-client-name",
    "clientApiKey": "8f30c7d2-a9b9-474e-907b-97a190abd6c4",
    "drmJson": "{\"drm_provider\": \"VUALTO\"}"
Parameter Description
cenc object Common Encryption Scheme (CENC) encryption key object

Required for Playready or Widevine.

See: cenc object
client string Name of the DRM account
clientApiKey string API key for accessing Studio DRM APIs
contentId string Unique identifier for the content
drmjson object (Internal use only) Set to null.
fairplay object FairPlay encryption key object

See: fairplay object
playready object PlayReady encryption key object

See: playready object
widevine object Widevine encryption key object

See: widevine object

cenc object

Parameter Description
contentkey string 128-bit encryption key in base64 in Big Endian
keyid string Unique ID for the encryption in base64 in Big Endian

fairplay object

Parameter Description
iv string FairPlay encryption key
key string FairPlay unique ID for the encryption
laurl string FairPlay license server URL that at the point of the request to the license server the skd:// protocol should be replaced with https://

playready object

Parameter Description
checksum string PlayReady security value
laurl string PlayReady license server URL

widevine object

Parameter Description
psshdata string PSSH data from the Widevine PSSH box that usually contains encryption scheme and content ID


mpegdashstreaming-cenc-key-id: MT8jItzhV+ay+3QEtoyIxQ==
mpegdashstreaming-cenc-content-key: EcZ9tM1adkoleC1hwFlpQw==
mpegdashstreaming-cenc-algorithm: AESCTR
mpegdashstreaming-cenc-keyserver-widevine: true
mpegdashstreaming-cenc-keyserver-widevine-system-id: edef8ba9-79d6-4ace-a3c8-27dcd51d21ed
mpegdashstreaming-cenc-keyserver-widevine-pssh-data: Igp3b3d6YS1kZW1vSOPclZsG
mpegdashstreaming-cenc-keyserver-playready: true
mpegdashstreaming-cenc-keyserver-playready-system-id: 9a04f079-9840-4286-ab92-e65be0885f95
mpegdashstreaming-cenc-keyserver-playready-checksum: Mv5YB5EhHKw=
cupertinostreaming-aes128-method: SAMPLE-AES
cupertinostreaming-aes128-url: skd://
cupertinostreaming-aes128-key: 24F79075974B8E1BC8AF576925B8458F
cupertinostreaming-aes128-iv: A140A11A450DBC04E67F39B850C13D41
cupertinostreaming-aes128-iv-include-in-chunklist: false
cupertinostreaming-aes128-key-format-version: 1

Response Parameters

Parameter Description
cupertinostreaming-aes128-iv The iv_hex value from the Fairplay Response
cupertinostreaming-aes128-iv-include-in-chunklist Must be set to false
cupertinostreaming-aes128-key The key_hex value from the Fairplay Response
cupertinostreaming-aes128-key-format Must be set to
cupertinostreaming-aes128-key-format-version Must be set to 1
cupertinostreaming-aes128-method Must be set to SAMPLE-AES
cupertinostreaming-aes128-url The laurl value from the Fairplay Response
mpegdashstreaming-cenc-algorithm Must be set to AESCTR
mpegdashstreaming-cenc-content-key The content_key value from the CENC Response
mpegdashstreaming-cenc-key-id The key_id_big value from the CENC Response
mpegdashstreaming-cenc-keyserver-playready Must be set to true
mpegdashstreaming-cenc-keyserver-playready-checksum The checksum value from the CENC Response
mpegdashstreaming-cenc-keyserver-playready-license-url The playready_laurl value from the CENC Response
mpegdashstreaming-cenc-keyserver-playready-system-id Must be set to 9a04f079-9840-4286-ab92-e65be0885f95
mpegdashstreaming-cenc-keyserver-widevine Must be set to true
mpegdashstreaming-cenc-keyserver-widevine-pssh-data The widevine_drm_specific_data value from the CENC Response
mpegdashstreaming-cenc-keyserver-widevine-system-id Must be set to edef8ba9-79d6-4ace-a3c8-27dcd51d21ed

Delete a Wowza stream keyfile


Remove the keyfile for the specified Wowza stream, returning its contents before deletion


curl -X DELETE /api/keyfile/{streamid} \
     -H 'API-KEY: {api_key}'

Path Parameter

Parameter Description
streamid ID of the stream to protect

This is the name of the .key file created on the server

Stream Tester

Validate your Studio DRM-protected stream in web environments using the JWP Stream Tester.