Knowledge base

Secure token

Secure tokens protect your content by generating a unique hash that prevents unauthorised access to access your URL / file.

To enable the secure token option, just click on the "Secure token" option in the Access protection section after selecting the CDN Resource. Once enabled, you're presented with a key that is used as part of the process of generating secured links.

You can customise the link expiry with a timestamp. The most secure option is to include an IP address, should you wish to have full control over who's accessing your content and create links per user and the relevant IP address.

Main functions

  • Secure tokens allow you to generate links to your live stream with an expiration time, effectively protecting your content.
  • Generated secure links provide the content only within a predefined period of time and only to visitors who have the links which contain the secure hash.
  • It is not possible to request secured content without a valid (non-expired) hash from the CDN resource.
  • After the expiration time, the links are unavailable, and new ones must be generated in order to request the secured content again.

Hash

The hashing function of the secure token generator makes use of a standard MD5 message-digest algorithm which produces a 128-bit hash value.

Specifying the secure token path

If you plan on enabling secure tokens, you will then need to correctly generate the URLs to access your files through the CDN.

When activating secure tokens in your account, you're presented with the option to choose either Parameter or Path.

With regards to live-streaming, it is important that you set the secure tokens to Path. That way the CDN is able to properly secure your streams, using the PHP secure token generator which functions based on your live stream path.

It is also possible to create a similar generator in another programming language of your choice, the generator is not limited to the PHP examples below.

Type parameter

To generate using Parameter secure token option, use the following code example:

<?php

/**
 * Create hash link CDN resource
 */
function getSignedUrlParameter(
	string $cdnResourceUrl,
	string $filePath,
	string $secureToken,
	?int $expiryTimestamp = null
): string {
	// Add slash to start of file path if missing
	if ($filePath[0] !== '/') {
		$filePath = '/' . $filePath;
	}

	// Cut the query string from file path (e.g. "/file/video.mp4?autoplay=true" changes to "/file/video.mp4")
	if ($positionOfStartQuery = strpos($filePath, '?')) {
		$filePath = substr($filePath, 0, $positionOfStartQuery);
	}

	$hash = $filePath . $secureToken;

	if ($expiryTimestamp) {
		$hash = $expiryTimestamp . $hash;
		$expiryTimestamp = ',' . $expiryTimestamp;
	}

	// Replace invalid URL query string characters +, / with valid characters -, _
	$invalidChars = ['+', '/'];
	$validChars = ['-', '_'];
	$finalHash = str_replace($invalidChars, $validChars, base64_encode(md5($hash, true)));

	return 'https://' . $cdnResourceUrl . $filePath . '?secure=' . $finalHash . $expiryTimestamp;
}

?>

Usage example

<?php

echo getSignedUrlParameter('1234456789.rsc.cdn77.org', '/file/video.mp4', 'ykX1QNTRvp3tfSn8', 1389183132);

// https://1234456789.rsc.cdn77.org/file/video.mp4?secure=29QpicPWKD6RpuYMfC8LfA==,1389183132

?>

Type path

To generate using the Path secure token option, use the following code example:

<?php

/**
 * Create hash link Path CDN Resource
 */
function getSignedUrlPath(
	string $cdnResourceUrl,
	string $filePath,
	string $secureToken,
	?int $expiryTimestamp = null
): string {
	// Because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
	// for which we generate the secure token. Because of that, everything included after the last slash is stripped.
	$strippedPath = substr($filePath, 0, strrpos($filePath, '/'));

	// Add slash to start of stripped path if missing
	if ($strippedPath[0] !== '/') {
		$strippedPath = '/' . $strippedPath;
		$filePath = '/' . $filePath;
	}

	// Cut the query string from stripped path
	if ($positionOfStartQuery = strpos($strippedPath, '?')) {
		$filePath = substr($strippedPath, 0, $positionOfStartQuery);
	}

	$hash = $strippedPath . $secureToken;

	if ($expiryTimestamp) {
		$hash = $expiryTimestamp . $hash;
		$expiryTimestamp = ',' . $expiryTimestamp;
	}

	// Replace invalid URL query string characters +, / with valid characters -, _
	$invalidChars = ['+', '/'];
	$validChars = ['-', '_'];
	$finalHash = str_replace($invalidChars, $validChars, base64_encode(md5($hash, true)));

	// The URL is however, intentionally returned with the previously stripped parts (eg. playlist/{chunk}..)
	return 'https://' . $cdnResourceUrl . '/' . $finalHash . $expiryTimestamp . $filePath;
}

?>

Usage example

<?php

echo getSignedUrlPath('1234456789.rsc.cdn77.org', '/file/playlist/d.m3u8', 'ykX1QNTRvp3tfSn8', 1389183132);

// https://1234456789.rsc.cdn77.org/z--FA_CsNsR2TOV2eg9q4w==,1389183132/file/playlist/d.m3u8

?>

Generating secure token links for an IP address

The following example outlines how to use secure tokens with an additional IP address parameter. This enables you to lock a specific link to an IP address, while also making use of secure tokens. Please ensure that you also set the secure tokens to Path when using this feature.

<?php

/**
 * Create hash link Path CDN Resource
 */
function getSignedUrlPath(
	string $cdnResourceUrl,
	string $filePath,
	string $ip,
	string $secureToken,
	?int $expiryTimestamp = null
): string {
	// Because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
	// for which we generate the secure token. Because of that, everything included after the last slash is stripped.
	$strippedPath = substr($filePath, 0, strrpos($filePath, '/'));

	// Add slash to start of stripped path if missing
	if ($strippedPath[0] !== '/') {
		$strippedPath = '/' . $strippedPath;
		$filePath = '/' . $filePath;
	}

	$toHash = sprintf('%s%s%s%s', $strippedPath, $ip, " ", $secureToken);

	if ($expiryTimestamp) {
		$toHash = $expiryTimestamp . $toHash;
		$expiryTimestamp = ',' . $expiryTimestamp;
	}

	// Replace invalid URL query string characters +, / with valid characters -, _
	$invalidChars = ['+', '/'];
	$validChars = ['-', '_'];
	$finalHash = str_replace($invalidChars, $validChars, base64_encode(md5($toHash, true)));

	// The URL is however, intentionally returned with the previously stripped parts (eg. playlist/{chunk}..)
	return 'https://' . $cdnResourceUrl . '/' . $finalHash . $expiryTimestamp . $filePath;
}

?>

Usage example

<?php

echo getSignedUrlPath('1234456789.rsc.cdn77.org', '/live/playlist.m3u8', '1.2.3.4', 'sauhc8s2jscks', 1617203518);

// https://1234456789.rsc.cdn77.org/Iw_QFL8Z9c09tOeZTqUUsg==,1617203518/live/playlist.m3u8

?>

Generate signed URL

Type
Expiration

Content will be provided only until a specified time.

Enables you to lock the link to a specific IP address.

Updated on 8th October, 2024

Can’t find what you are looking for?