How can we help you?

Enabling Secure Tokens For Live Streams and VOD

General

Secure tokens protect your content by generating a unique hash that prevents unauthorised access to access your live stream link.

Once enabled in your Account (CDN Resource -> Access Protection) you're presented with a key which is used as part of the process to generate secured links.

You can customise the link expiry with a timestamp. The most secure option is to include an IP address, should you wish to have full control over who's accessing your content and create links per user and the relevant IP address.

Main Functions

1. Secure tokens allow you to generate links to your live stream with an expiration time, effectively protecting your content.

2. Generated secure links provide the content only within a predefined period of time and only to visitors who have the links which contain the secure hash.

3. It is not possible to request secured content without a valid (expired) hash from the CDN resource.

4. After the expiration time, the links are unavailable and new ones must be generated in order to request the secured content again.

To enable the secure token option just click on the “Secure Token” option in the Access Protection section, when you select the CDN Resource.

Hash

The hashing function of the secure token generator makes use of a standard MD5 message-digest algorithm which produces a 128-bit hash value.

Specifying The Secure Token Path

If you plan on enabling Secure Tokens, you will then need to correctly generate the URLs to access your files through the CDN.

When activating secure tokens in your account, you're presented with the option to choose either Parameter or Path.

With regards to live-streaming, it is important that you set the secure tokens to Path. That way the CDN is able to properly secure your streams, using the PHP secure token generator which functions based on your live stream path.

Generating Secure Token Links

To generate using the Path secure token option, use the following code example:

        <?php

    /**
    * Create hash link Path CDN Resource
    *
    * @param string $cdnResourceUrl
    * @param string $filePath
    * @param string $secureToken
    * @param ?int $expiryTimestamp
    * @return string
    */
    function getSignedUrlPath(string $cdnResourceUrl, string $filePath, string $secureToken, ?int $expiryTimestamp = NULL) : string
    {
        // because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
        // for which we generate the secure token. Because of that, everything included after the last slash is stripped.
        $strippedPath = substr($filePath, 0, strrpos($filePath, '/'));

        // replace invalid URL query string characters +, =, / with valid characters -, _, ~
          $invalidChars = ['+','/'];
          $validChars = ['-','_'];

        if ($strippedPath[0] != '/') {
            $strippedPath = '/' . $strippedPath;
        }

        if ($pos = strpos($strippedPath, '?')) {
            $filePath = substr($strippedPath, 0, $pos);
        }

        $hashStr = $strippedPath . $secureToken;

        if ($expiryTimestamp) {
            $hashStr = $expiryTimestamp . $hashStr;
            $expiryTimestamp = ',' . $expiryTimestamp;
        }

        // the URL is however, intensionaly returned with the previously stripped parts (eg. playlist/{chunk}..)
        return 'http://' . $cdnResourceUrl . '/' .
            str_replace($invalidChars, $validChars, base64_encode(md5($hashStr, TRUE))) .
            $expiryTimestamp . $filePath;
    }

Usage Example

  

$signedUrlPath = getSignedUrlPath('1234456789.rsc.cdn77.org', '/file/playlist/d.m3u8', 'ykX1QNTRvp3tfSn8', 1389183132);

// http://1234456789.rsc.cdn77.org/z--FA_CsNsR2TOV2eg9q4w==,1389183132/file/playlist/d.m3u8

print $signedUrlPath;

Generating Secure Token Links for an IP Address


The following example outlines how to use Secure Tokens with an additional IP addresses parameter. This enables you to lock a specific link to an IP addresses, while also making use of secure tokens.
 Please ensure that you also set the Secure Tokens to Path when using this feature.


<?php

echo generateHashLink2('1234456789.rsc.cdn77.org', 'path_to_file', 'IP_Address', 'token', 1558714275);

function generateHashLink2($cdnResourceUrl, $filePath, $ip, $secretKey, $expiryTimestamp = NULL) {

    $filePath2 = substr($filePath, 0, strrpos($filePath, '/'));

    $searchChars = array('+','/');
    $replaceChars = array('-', '_');

    if ($filePath2[0] != '/') {
        $filePath2 = "/{$filePath2}";
    }

    if ($pos = strpos($filePath2, '?')) {
        $filePath = substr($filePath2, 0, $pos);
    }

//    $hashStr = $filePath2 . $secretKey;
    $hashStr = "$filePath2$ip $secretKey";

    if ($expiryTimestamp) {
        $hashStr = $expiryTimestamp . $hashStr;
        $expiryTimestamp = ",{$expiryTimestamp}";
    }

    return "http://{$cdnResourceUrl}/" .
        str_replace($searchChars, $replaceChars, base64_encode(md5($hashStr, TRUE))) .
        $expiryTimestamp . $filePath;
}

?>

Please Note:

It is possible to also create a similar generator in another programming language of your choice, the generator is not limited to the PHP examples above.