URL (Token) Signing

The JW Player dashboard and the Platform API contain a security feature that enables you to lock down public access to videos and/or players. When either videos or players are secured, they can only be requested through so-called signed URLs. These URLs are valid for a short time, so people stealing your video or embed codes will soon end up with broken links.

Signing Overview

URL Signing is a very common content protection mechanism and essentially works as follows:

  • You calculate a signature based on the required expiration time, the path of the link, and the secret key of your account.
  • In the video request to our content server you send us the path of the link, the required expiration time and the signature that you generated.
  • We know your secret key too, so we calculate a signature based on the path of the link, the expiration time and your secret key.
  • If the signature that we calculated is the same as the one you sent us, and the the expiration time is still in the future, our contentserver will then serve up the content that was requested.
  • If the signature doesn't match, or the timestamp is outdated, we deny the request.

Enabling URL Signing in the Dashboard

The setting to enable video/player signing can be found under Account > Properties > (Choose Property) settings.

There are multiple ways to secure your videos and players by using the two settings, which are both defaulted to off, but can be turned on or off independently.  

No URL signing enabled (Default)
This is the lowest security setting. Anybody will be able to download your content and embed your player on their website. This setting is great if you wish to make your content viral, e.g. by using Social Sharing
Secured Video URLs: ON
With this setting anyone will still be able to embed your player into their website, but people will not be able to link to your videos. This means that people cannot just download and/or deep-link to your videos. If you do wish to make download links available, you will have to generate a signed URL (see below).
Secured Embeds: ON
Use this setting if you want to lock down embedding of your players, e.g. when you rely on advertising. You need to have a piece of code on your website to dynamically generate signed player links (see below).
Secured Video URLs and Secured Embeds both ON
This is the tightest setting. Both video download links and player embed codes need to be signed in order to work.
 

Signing Walkthrough: How it Works

This article has attached both a PHP example script and a Python example script. We now walk through the PHP example to explain how the signing actually works:

if($timeout) {
    $expires = time() + $timeout;
} else { 
    $expires = time() + 3600;
}

First we set the timeout time. The timeout time is the UNIX timestamp of now plus the timeout in seconds. If no timeout has been set, this script assumes an expire time of an hour.

$signature = md5($path.':'.$expires.':'.$secret);

Here we build a signature. The signature is an MD5sum of the path, the expire time and the secret key of your account. If we use the filename and the key from the example the command would look as follows when the values have been filled out:

$signature = md5(videos/nPripu9l.mp4:1271760610:oJ1UsW4hptQ3LfSrle0j7mnf);

The last part is the construction of the actual URL:

if($domain) {
    $url = 'http://'.$domain.'/'.$path.'?exp='.$expires.'&sig='.$signature;
} else {
    $url = 'http://content.jwplatform.com/'.$path.'?exp='.$expires.'&sig='.$signature;
}
return $url;

If you DNS mask our contentserver you will have to enter the DNS mask that you used here, otherwise the script assumes that you're using embed links straight from our content server. Here we use the data that you entered and the signature you generated to construct a final URL which looks something like this:

http://dashboard.jwplatform.com/videos/nPripu9l.mp4?exp=1271760610&sig=b59b91370f4faf4815b6736db10e5041

Did you find this article helpful?

Please log in to rate this article.