Setting a Token Authentication - protect your CDN content
The Token Auth, Token Auth Primary Key, Token Auth Backup Key and Token Auth Protected Paths options of CDN Video, CDN Video Push and CDN Live services allow you to protect your CDN streams from unwanted viewers.
Only requests with a valid token (also referred as signature, secure or hash) are allowed to access your stream. Moreover the token can contain its expiration time and allowed/denied referrer domains.
An example of CDN URL with token
As you can see in the above example the token is added to the URL as a value of a query string parameter ?token=.
Token expiration time use case
Token can contain its expiration time. Let's assume that you want to provide a CDN URL to your customer which can not be shared with public. For example the customer paid you for access to your stream so you want to provide him a CDN URL to view the stream but you don't want to allow him to share this CDN URL with everyone. Solution in this case is to provide him a CDN URL with token containing expiration time close to expiry (few seconds or minutes). Using this CDN URL he will be able to access your stream but if he will share the CDN URL with public then it will not open access to your stream because the CDN URL token will be expired. Please note that token is validated only at the beginning of a connection, it is not being validated during an ongoing connection.
How to enable Token Authentication
Token Authentication can be enabled during a CDN service creation (in advanced settings) or on the Services/Settings page.
Select "Enabled" from the Token Auth select box, generate a Token Auth Primary Key and optionally generate a Token Auth Backup Key and fill in Token Auth Protected Paths as in the picture below.
Token Authentication options
- Token Auth Primary Key - primary key used to generate token for your CDN streaming URLs.
- Token Auth Backup Key - backup key used to generate token for your CDN streaming URLs. It is useful when you need to change your primary key. Please refer below for more details.
- Token Auth Protected Paths - a list of paths (one per line) protected by token authentication. By default (if you leave the field empty) all paths are protected (equivalent to the path "/").
How to change Token Auth Primary Key
To change Token Auth Primary Key on a production CDN service we recommend the following procedure.
- Copy the existing Token Auth Primary Key and paste it to the Token Auth Backup Key field.
- Fill in a new primary key to the Token Auth Primary Key field.
- Wait few minutes for propagation of the change and then remove the Token Auth Backup Key (your former primary key).
How to generate token
To generate a token you can make use of our token generators below. Please note that anyone is welcome to contribute on our GitHub.
Download our Java Token generator for Wowza Token Authentication from the GitHub and follow instructions from the README.md file.
Download our .NET Token generator for Wowza Token Authentication from the GitHub and follow instructions from the README.md file.
Download our PHP Token generator for Wowza Token Authentication from the GitHub and follow instructions from the README.md file.
Please note that token authentication is supported only with RTMP, HLS and MSS protocols. It is not supported with RTSP and HDS protocols. Please refer to Supported CDN streaming protocols and formats for more details.
Read about the following topics.