Skip to main content

How to issue license

In order to obtain a license, the player should make a POST request to one of the endpoints (depending on the DRM system supported by the device or the browser):

  • Widevine
  • FairPlay
  • Playready

Please check platform compatibility to see which DRM system is required in your case.

Acquisition sequence

If the video player supports DRM, it generates license acquisition event automatically when starting playing DRM encrypted content. Typically, the video player has to be configured with license acquisition URL. The player sends POST request to license acquisition URL. The body of the license request contains payload (or "license challenge") - this payload contains cryptographic data neccessary to create encrypted license. DRM enabled player creates this payload data automatically. The only configuration the player needs is License Acquisition URL, and (in some cases, see below) HTTP headers for authorizating the request.

License acquisition sequence is presented in the diagram below: Licence Acquisition

In the body of the request, the player should place the payload generated by the DRM component of your platform. This payload is automatically attached to the body of license request by most players, no additionall code is required.

Additionally, two parameters are required to authenticate the license request:

  1. BrandGuid - an identifier of your application. This identifier is created by Insys VT and identifies the video services. BrandGuid can be passed as a querystring parameter of the license acquisition URL or in a custom HTTP header X-Drm-BrandGuid. For a FairPlay certificate endpoint, BrandGuid should be placed in a querystring.
  2. UserToken - a JWT token signed with a shared secret that authorizes a given license request. The token should be created and signed in your backend service. The secret key used for token signing should not be used on the frontend side. UserToken can be passed as a querystring parameter of the license acquisition URL or in a custom HTTP header X-Drm-UserToken. The token is not required for a FairPlay certificate request.

Integration parameters

Your dedicated endpoints (License Acquisition URLs) and all parameters for integration can be found in web console. Please login to Cloud Video Kit web console and navigate to DRM -> Configuration -> License acquisition

Licence Acquisition Parameters

Fairplay license acqusition URL with IV & KID

When using Apple FairPlay, the license URL must include an additional KID parameter, which contains the Key ID of the content key in GUID format. For HLS, the specific license URL is provided within the M3U8 chunklist, found in the #EXT-X-KEY tag under the URI field.

To access the chunklist, open the manifest file, copy the name of any stream (e.g., "index_360p.m3u8"), and replace "index.m3u8" in the manifest link with the copied stream name.

Chunklist example:

#EXTM3U
#EXT-X-VERSION:5
#EXT-X-TARGETDURATION:11
#EXT-X-MEDIA-SEQUENCE:1
#EXT-X-PLAYLIST-TYPE:VOD
#EXT-X-KEY:METHOD=SAMPLE-AES,URI="skd://videokit-demo.la.drm.cloud/acquire-license/fairplay?
BrandGuid=5177e549-****-****-ba16-6104d4f68147&
KID=93b68891-****-****-baac-e589a13fd20c&
IV=1f3a1d7ce87a4cd3846038fcf4d05f82",KEYFORMAT="com.apple.streamingkeydelivery",
KEYFORMATVERSIONS="1",IV=0x1F3A1D7CE87A4CD3846038FCF4D05F82

The player should use the URI from the chunklist (not manifest!) and replace the “skd://” with “https://”. In the example above, the license can be obtained from this link: https://videokit-demo.la.drm.cloud/acquire-license/fairplay?BrandGuid=5177e549-****-****-ba16-6104d4f68147&KID=93b68891-****-****-baac-e589a13fd20c&IV=1f3a1d7ce87a4cd3846038fcf4d05f82

The BrandGuid and UserToken can be passed as querystring parameters or HTTP Headers as described above. The FairPlay player has to send the payload (or SPC, according to the Apple FairPlay glossary) in the license acquisition POST request. The license acquisition request can use the following content types headers:

  • Content-Type: application/x-www-form-urlencoded - the body of the request must contain the SPC field (spc=<encoded body>)
  • Content-Type: multipart/form-data - the body of the request must contain the SPC field.
  • Content-Type: application/octet-stream - the body of the request must contain binary SPC data

Depending on the Accept header of the request, the server returns the license (or CKC, according to the Apple FairPlay glossary) in different formats:

  • If the Accept header contains an application/json, the JSON with the CKC field containing base64 encoded CKC will be returned as follows: {“ckc” : <base64>}. Content-Type of the response will be set to “application/json”
  • In other cases, the response will be of the “application/octet-stream” type and the body will contain binary CKC data.

FairPlay Streaming Certificate

To use FairPlay on production, you need to generate a FairPlay Streaming Certificate via Apple platform and share it with us. For testing purposes we give you a temporary FPS Certificate, that has to be replaced by your Certificate before you go live. You can find the URL to FPS Certificate attached to your tenant at web console. Please navigate to DRM -> Configuration -> License acquisition -> Fairplay Certificate.

Read more about FPS and how to generate your certificate here.