Wowza Community

New SecureToken implementation

I am implementing Streamlock to enable HTML5 video playback, but where with RTMP you can limit the domains allowed to stream, this doesn’t seem to be available for https connections using streamlock (

Because of that, I am looking at the SecureToken implementation but am having some pretty big problems figuring out what I am doing wrong. After going through the documentation a bit, I came across the PHP code here:

which I implemented.

For simplicity’s sake, I will just publish my secret token and change it as soon as the solution is found. In the application.xml it is set to auto accept all connections. We are using adaptive bitrate switching, so I had to leave off the playlist.m3u8 from the end of the value to hash.

Using the Github code from above, I passed it this info:

$wowzaToken = new \remiheens\WowzaSecureToken\WowzaSecureToken('wowzatoken','d1e37335a7154ac1');

$starttime = time();
$endtime = strtotime('+3 HOUR');
$params = array(
    'endtime' => $endtime,
    'starttime' => $starttime


$hash = $wowzaToken->getHash();

$url = $wowzaToken->getFullURL();


This returned back the string:

which I tried to put in, but get the message: “Error loading stream: Manifest not found or invalid”. Now the docs only talked about removing the playlist.m3u8, but I modified the string to put it back in and now get this message:

“Cannot load M3U8: 403 Forbidden”

It isn’t writing anything to the log files, so I am not sure why I am getting that error, everything works just fine prior to enabling the SecureToken.

I tried simplifying the jwplayer code to bare bones for testing, this is where it is at:


            //Setup video player
            videoPlayer = jwplayer("video-object").setup({
                            {file: ""}
                modes: [
                { type: "html5" },
                { type: "flash", src: "player.swf" }



It started working, and I have no idea why. This was my final PHP code that I ended up with, then you just echo back the $playbackURL into the “file” object.

$clientIP = null; // provide client IP optionally
$host = ""; // your ip/host
$url= "https://".$host."/";
$stream = "s3/_definst_/smil:coursesaver/774/resolutions/resolutions.smil"; // your stream
$start = time();
$end = strtotime("+30 minutes");

$secret = "d1e37335a7154ac1";
$tokenName = "wowzatoken";

$hash = "";
    $hash = hash('sha256', $stream."?".$secret."&{$tokenName}endtime=".$end."&{$tokenName}starttime=".$start, true); // generate the hash string

    $hash = hash('sha256', $stream."?".$clientIP."&".$secret."&{$tokenName}endtime=".$end."&{$tokenName}starttime=".$start, true); // generate the hash string

$base64Hash = strtr(base64_encode($hash), '+/', '-_');
$params = array("{$tokenName}starttime=".$start, "{$tokenName}endtime=".$end, "{$tokenName}hash=".$base64Hash);

    $params[] = $clientIP;


$playbackURL = $url.$stream."/playlist.m3u8?";

    $playbackURL = $url.$stream."?";

foreach($params as $entry){
    $playbackURL.= $entry."&";

$playbackURL = preg_replace("/(\&)$/","", $playbackURL);


I really wish I knew what made it work, because I have 5 more servers to configure, but hopefully I will figure it out along the way.

Hello ! Can you help me with a complete SecureToken v2 script and configuration details for JWplayer? For a long time I have this problem and I can not configure a token generation script or how to configure the JWplayer player.