Protect a Wowza CDN on Fastly stream target with token authentication in Wowza Video

Updated on 03/21/2024 11:09 am PDT

The Wowza Video™ service uses Wowza CDN on Fastly stream targets, by default, to deliver your live streams to viewers. You can secure these Wowza CDN on Fastly stream targets, and your live stream, with token authentication. Token authentication protects streams by ensuring that they are accessed only by viewers who have the token, preventing playback URLs from being shared by unauthorized users and protecing your stream from player hijacking attacks. Use token authentication to make the stream playback URL unavailable after a certain length of time, to limit access to approved IP addresses, or apply other restrictions. 

Token authentication is disabled by default. To use it, enable it, test it, and then generate your own query parameters to secure the stream.

Before you start

You should complete the following task:

About token authentication

Token-based authentication uses a multipart token that consists of a delimited list of string fields. One field is an HMAC, or keyed-hash message authentication code. HMAC is a common mechanism for message authentication that uses cryptographic hash functions. The HMAC portion of the token hashes a trusted shared secret that you create in Wowza Video. It is short-lived and secures initial access to the stream.

The second part of the token, a cookie, is valid for the duration of the stream and protects segments that are delivered during playback. It restricts access to the stream according to query parameters that you specify. For example, you can expire the stream after a certain length of time or only let allowlisted IP addresses to access it.

You append the token to the stream target's playback URL, and then Wowza Video only lets viewers receive the content after it verifies the presence and validity of the token.

Token authentication is managed by the browser, and viewers' browsers must allow cookies in order for streams protected by token authentication to play.

1. Enable token authentication

To enable and configure token authentication:

  1. Go to Live streams in the navigation.
  2. Select a live stream.
  3. Click the Security tab.
  4. Under Token Authentication, check the Protect this stream with token authentication checkbox.
  5. Click Generate to generate a shared secret or enter your own secret in the Shared Secret field. If you enter your own secret, make sure it's:
    • an even-length hexadecimal string between 2 and 32 characters.
    • Contains only 0 through 9 and/or the letters a through f.
  6. Optionally, select Only protect the multivariant playlist file to protect the multivariant playlist (formerly called master playlist) only and leave individual media playlists and media segments unprotected. This feature enables playback compatibility with media players that don’t support the withCredentials property. It may also be useful when addressing token auth compatibility issues with specific browsers.
  7. Click Save changes.

When token authorization is enabled, you can view the shared secret on the Security tab of the target detail page by clicking the show (eyeball) icon.

2. Update the playback URL

Now that you've enabled token authentication, you need to update your HLS playback URL that you'll use in your player to reference the token and any other supported token-related security you want to use.

The resulting playback URL will look similar to this:

https://[subdomain].wowza.com/1/[stream_id]/[stream_name]/hls/live/playlist.m3u8?hdnts=ip=10.1.1.1~st=1578421200~exp=1578421449~hmac=073e5b930fb494728164cad5da037eb2e9429282f33f9f89df04241bd530f74d

Notes: Changing the trusted shared secret invalidates all existing tokens.

The bolded part of the playback URL above contains a token string (token + query parameters) for allowing access to the content, expiring access to the content, and restricting the content playback to a specific IP address. 

The token string must include the query parameters in the following order: IP address, start time, and end time.

  1. Review the token auth examples from Wowza's github space to understand how to create your own token string with additional query parameters.
  2. Locate your HLS playback URL on the Overview page for your live stream.
  3. Copy both the HLS playback URL and your token string to another tool and concatenate them.
  4. Add any restrictions to the stream according to query parameters that you specify. 
  5. Use the secured HLS playback URL from step 4 in your player.

Example HLS playback URL with token authentication

https://[subdomain].wowza.com/1/[stream_id]/[stream_name]/hls/live/playlist.m3u8?hdnts=exp=1578424041~hmac=0428782df32a8a8b91823889756d8084997cf45c58375d526dc9852808b35721

See this article to configure and add token authentication for streams using Wowza CDN on Fastly targets through our Wowza Video REST API:

Was this article helpful?
Thank you for your feedback!
User Icon

<p align="left">Thank you for providing feedback to help us improve our documentati

© 2007–2024 Wowza Media Systems, LLC. All rights reserved.   Security & Privacy PolicyLegalSystem Status