Add SecureToken protection to JW Player with Wowza Streaming Engine

This article provides instructions for enabling SecureToken content protection for JW Player with MPEG-DASH, HLS, and RTMP streams. SecureToken is a challenge/response-based security system that, when used in conjunction with the RTMPS and RTMPE/RTMPTE, provides a high level of content protection against spoofing threats. Support for SecureToken is built-in with the player.

  • For use with JW Player 6 and Wowza Streaming Engine™ media server software. JW Player 6.11 (or later) is required to use RTMPS.
  • JW Player can now accept RTSP streams within its scripts. See Use JW Player with Wowza Streaming Engine for examples of embedding RTSP links within JW Player.
  • JW Player is a Works with Wowza™ partner.


About SecureToken
Server configuration
Player configuration
Updating the shared secret

About SecureToken

SecureToken is a challenge/response-based security system that, when used in conjunction with RTMPS or RTMPE/RTMPTE, provides a high level of content protection against spoofing threats. Each connection is protected by a random single-use key and a password (shared secret).

The way SecureToken works is that when a client connects to Wowza Streaming Engine, a security module in the server software generates a unique key for the pending connection. The generated key is encrypted using a shared secret and is returned as part of the NetConnection.onStatus info object. The client decrypts the unique key using the same shared secret and sends the result back to the module. The server then compares this key to the originally generated key. The connection is rejected if the values don't match.
Important: To help to protect content from the latest "leech" programs, you should use a secure RTMP protocol (either RTMPS or RTMPE) with SecureToken when connecting to Wowza Streaming Engine. For example:




We recommend the Wowza StreamLock™ AddOn, which provides a free 256-bit SSL certificate that can be used for all of your stream encryption needs with Wowza media server software. StreamLock-provisioned SSL certificates provide the best security when used with secure RTMP streaming (RTMPS). The certificates can also be used for secure HTTP streaming (HTTPS). For more information, see Get SSL certificates from the Wowza Streaming Engine StreamLock service.

Server configuration

  1. In Wowza Streaming Engine Manager, create an application to use with SecureToken ([secureApplication]). You can also use the default vod and live applications.
  2. Click Playback Security for your application in the contents panel:

  3. Follow the Secure Token instructions to create a shared secret.
    Note: The shared secret that you create in this step is also used in the following section that demonstrates how to configure secure token protection in JW Player. Be sure to update the shared secret value on the server and in JW Player before putting your system into production. For more information, see Updating the shared secret.
  4. Restart Wowza Streaming Engine.

Player configuration

  1. Download the JW Player for Flash source code ([jw-source-code]). JW Player is commercial software.
    • The source code is for the Free edition of JW Player. Source code isn't available for licensed versions of JW Player.
    • RTMPS is only applicable with recent versions of JW Player.
  2. Open [jw-source-code]/src/flash/com/longtailvideo/jwplayer/media/ in a text editor and update the code to use the example shared secret that you created in Wowza Streaming Engine Manager (for example, 7a97766ef65e9050) from:
    if ( != undefined) {
      var hash:String = TEA.decrypt(, getConfigProperty('securetoken'));"secureTokenResponse", null, hash);


    if ( != undefined) {
      var hash:String = TEA.decrypt(, "7a97766ef65e9050");"secureTokenResponse", null, hash);
  3. Compile with the Flex SDK or Flex Builder using the instructions provided in JW Player build instructions.
  4. Configure JW Player on a web server. For instructions, see JW Player configuration. We recommend placing everything in a jwplayer folder in the web server www root. This folder must contain the following files:
    • jwplayer.flash.swf - The Flash-based player
    • jwplayer.js - The JW Embedder JavaScript library
  5. Follow the instructions in the extracted README.html file for embedding JW Player in a webpage. When you insert the sample JW Player embed code at the place where you want your video to appear, change:
    <div id="myElement">Loading the player...</div>
    <script type="text/javascript">
            file: "/uploads/myVideo.mp4",
            image: "/uploads/myPoster.jpg"


    <div style="width:560px height:700px;margin:0 auto;padding:20px;float:left">

    Where [StreamLockID] is the unique StreamLock domain name for your Wowza Streaming Engine instance. Note that the RTMPS protocol is used. 

Note: If you re-purpose this example to stream an FLV file, you must change the default setting in Wowza Streaming Engine to support the Flash Video container format. For more information, see Specifying the VOD container format for JW Player.

Updating the shared secret

After you have the above working with the example shared secret, do the following to update the shared secret to your own value:
  1. In Wowza Streaming Engine Manager, create a new shared secret value using the Server configuration instructions.
  2. Edit the file in [jw-source-code] to change the string passed to the secureTokenResponse callback to the same value as above, and then use Flex Builder to republish the jwplayer.flash.swf file.