Secure token
Secure tokens protect your content by generating a unique hash that prevents unauthorised access to access your URL / file.
To enable the secure token option, just click on the "Secure token" option in the Access protection section after selecting the CDN Resource. Once enabled, you're presented with a key that is used as part of the process of generating secured links.
You can customise the link expiry with a timestamp. The most secure option is to include an IP address, should you wish to have full control over who's accessing your content and create links per user and the relevant IP address.
Main functions
- Secure tokens allow you to generate links to your live stream with an expiration time, effectively protecting your content.
- Generated secure links provide the content only within a predefined period of time and only to visitors who have the links which contain the secure hash.
- It is not possible to request secured content without a valid (non-expired) hash from the CDN resource.
- After the expiration time, the links are unavailable, and new ones must be generated in order to request the secured content again.
Hash
The hashing function of the secure token generator makes use of a standard MD5 message-digest algorithm which produces a 128-bit hash value.
Specifying the secure token path
If you plan on enabling secure tokens, you will then need to correctly generate the URLs to access your files through the CDN.
When activating secure tokens in your account, you're presented with the option to choose either Parameter or Path.
With regards to live-streaming, it is important that you set the secure tokens to Path. That way the CDN is able to properly secure your streams, using the PHP secure token generator which functions based on your live stream path.
Type parameter
To generate using Parameter secure token option, use the following code example:
<?php
/**
* Create hash link CDN resource
*/
function getSignedUrlParameter(
string $cdnResourceUrl,
string $filePath,
string $secureToken,
?int $expiryTimestamp = null
): string {
// Add slash to start of file path if missing
if ($filePath[0] !== '/') {
$filePath = '/' . $filePath;
}
// Cut the query string from file path (e.g. "/file/video.mp4?autoplay=true" changes to "/file/video.mp4")
if ($positionOfStartQuery = strpos($filePath, '?')) {
$filePath = substr($filePath, 0, $positionOfStartQuery);
}
$hash = $filePath . $secureToken;
if ($expiryTimestamp) {
$hash = $expiryTimestamp . $hash;
$expiryTimestamp = ',' . $expiryTimestamp;
}
// Replace invalid URL query string characters +, / with valid characters -, _
$invalidChars = ['+', '/'];
$validChars = ['-', '_'];
$finalHash = str_replace($invalidChars, $validChars, base64_encode(md5($hash, true)));
return 'https://' . $cdnResourceUrl . $filePath . '?secure=' . $finalHash . $expiryTimestamp;
}
?>
Usage example
<?php
echo getSignedUrlParameter('1234456789.rsc.cdn77.org', '/file/video.mp4', 'ykX1QNTRvp3tfSn8', 1389183132);
// https://1234456789.rsc.cdn77.org/file/video.mp4?secure=29QpicPWKD6RpuYMfC8LfA==,1389183132
?>
Type path
To generate using the Path secure token option, use the following code example:
<?php
/**
* Create hash link Path CDN Resource
*/
function getSignedUrlPath(
string $cdnResourceUrl,
string $filePath,
string $secureToken,
?int $expiryTimestamp = null
): string {
// Because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
// for which we generate the secure token. Because of that, everything included after the last slash is stripped.
$strippedPath = substr($filePath, 0, strrpos($filePath, '/'));
// Add slash to start of stripped path if missing
if ($strippedPath[0] !== '/') {
$strippedPath = '/' . $strippedPath;
$filePath = '/' . $filePath;
}
// Cut the query string from stripped path
if ($positionOfStartQuery = strpos($strippedPath, '?')) {
$filePath = substr($strippedPath, 0, $positionOfStartQuery);
}
$hash = $strippedPath . $secureToken;
if ($expiryTimestamp) {
$hash = $expiryTimestamp . $hash;
$expiryTimestamp = ',' . $expiryTimestamp;
}
// Replace invalid URL query string characters +, / with valid characters -, _
$invalidChars = ['+', '/'];
$validChars = ['-', '_'];
$finalHash = str_replace($invalidChars, $validChars, base64_encode(md5($hash, true)));
// The URL is however, intentionally returned with the previously stripped parts (eg. playlist/{chunk}..)
return 'https://' . $cdnResourceUrl . '/' . $finalHash . $expiryTimestamp . $filePath;
}
?>
Usage example
<?php
echo getSignedUrlPath('1234456789.rsc.cdn77.org', '/file/playlist/d.m3u8', 'ykX1QNTRvp3tfSn8', 1389183132);
// https://1234456789.rsc.cdn77.org/z--FA_CsNsR2TOV2eg9q4w==,1389183132/file/playlist/d.m3u8
?>
Generating secure token links for an IP address
The following example outlines how to use secure tokens with an additional IP address parameter. This enables you to lock a specific link to an IP address, while also making use of secure tokens. Please ensure that you also set the secure tokens to Path when using this feature.
<?php
/**
* Create hash link Path CDN Resource
*/
function getSignedUrlPath(
string $cdnResourceUrl,
string $filePath,
string $ip,
string $secureToken,
?int $expiryTimestamp = null
): string {
// Because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
// for which we generate the secure token. Because of that, everything included after the last slash is stripped.
$strippedPath = substr($filePath, 0, strrpos($filePath, '/'));
// Add slash to start of stripped path if missing
if ($strippedPath[0] !== '/') {
$strippedPath = '/' . $strippedPath;
$filePath = '/' . $filePath;
}
$toHash = sprintf('%s%s%s%s', $strippedPath, $ip, " ", $secureToken);
if ($expiryTimestamp) {
$toHash = $expiryTimestamp . $toHash;
$expiryTimestamp = ',' . $expiryTimestamp;
}
// Replace invalid URL query string characters +, / with valid characters -, _
$invalidChars = ['+', '/'];
$validChars = ['-', '_'];
$finalHash = str_replace($invalidChars, $validChars, base64_encode(md5($toHash, true)));
// The URL is however, intentionally returned with the previously stripped parts (eg. playlist/{chunk}..)
return 'https://' . $cdnResourceUrl . '/' . $finalHash . $expiryTimestamp . $filePath;
}
?>
Usage example
<?php
echo getSignedUrlPath('1234456789.rsc.cdn77.org', '/live/playlist.m3u8', '1.2.3.4', 'sauhc8s2jscks', 1617203518);
// https://1234456789.rsc.cdn77.org/Iw_QFL8Z9c09tOeZTqUUsg==,1617203518/live/playlist.m3u8
?>
Generate signed URL
Updated on 8th October, 2024