Protect your content

Activate content protection on your Live and VOD streams.

Content protection concepts

MK/IO lets you deliver video content to end-consumers in a controlled and secure manner. MK/IO’s streaming endpoints can deliver content using AES-128 (advanced encryption standard) or any of the three major studio-approved digital rights management systems: Microsoft PlayReady, Google Widevine, and Apple FairPlay.

Clear Key based protection systems

  • HLS with AES-128: Clear Key protection with AES-128 encryption used to protect content on all devices. Note: AES-128 does not provide the same level of security as the three DRM systems listed below.
  • DASH with Clear Key: Clear Key protection with AES-128 encryption used to protect content on all devices. Note: AES-128 does not provide the same level of security as the three DRM systems listed below.

DRM systems

  • Apple FairPlay: DRM for iOS, tvOS, iPadOS, Safari, and MacOS devices.
  • Google Widevine: DRM for Google Chrome, Firefox, Android, Android TV, and many other streaming devices.
  • Microsoft PlayReady: DRM for Microsoft Edge, Xbox, and other streaming video platforms.

JWT tokens

A common use case for applying content protection to your content is to ensure users have the correct entitlement to access the video content. This is achievable by requiring an HTTP Header in the DRM license request and asking the MK/IO system to validate the values inside of the Issuer and Audience field in the JWT token.

High-level content protection workflow

Enable content protection for your assets (Live or VOD) by following these high-level steps:

  1. Create or reuse a Streaming Endpoint.
  2. Create a Content Key Policy that references your chosen protection schemes (Clear Key, FairPlay, Widevine, and/or PlayReady). Inside this protection scheme you can decide if you want to control access based on Issuer and Audience parameters in a JWT token.
  3. Create a Streaming Locator referencing your Content Key Policy.
  4. Pass the additional information required to MKPlayer or your desired video playback SDK.

Creating your content key policy

  1. Select the Content Key Policies in the left menu.
  2. Click Create Content Key Policy on the top right.
  3. Fill in a name and description.
  4. Add any number of content protection schemes (Clear Key, Widevine, PlayReady, and/or FairPlay).
    • Select “No” if you do not wish to enable token authentication in your DRM license or key request.
    • Select “Yes” to enable token authentication and specify the Issuer, Audience, and base64-encoded JWT verification key.
  5. Click Create.

⚠️

It is not recommended to add Clear Key to a policy that is targeted for DRM as it reduces the security effectiveness.

Adding a streaming locator that references your content key policy

  1. Select your asset in the Assets list.
  2. Click Add Streaming Locator and name your new locator.
  3. Select the streaming policy you wish to apply:
    • Predefined_ClearStreamingOnly — Use this policy if you do not want to apply any content protection to your streaming locator.
    • Predefined_MultiDrmCencStreaming — Use this policy if your content key policy has platform DRM protection schemes, and you wish to use the CENC for encryption of content. CENC has the widest device support.
    • Predefined_MultiDrmStreaming — Use this policy if your content key policy has platform DRM protection schemes, and you wish to use Widevine and PlayReady DRMs with CENC encryption and FairPlay DRM with CBCS encryption. CBCS is more secure but only runs on Android 7.x+, and Chrome 66+.
    • Predefined_ClearKey — Use this policy if you created a content key policy that only has Clear Key protection scheme. This streaming policy is supported on all devices.
  4. Select your content key policy from the dropdown. Remember: The content key policy must match the capabilities of the streaming policy you have selected above.
  5. You now should be able to select your newly created streaming locator and see video playback in the preview panel above. Note: If you enabled JWT token protection, playback will fail due to the token not being passed in. Follow the advanced tutorial below to validate your token protected content key policy.

Validating a content key policy with token protection

If you setup your content key policy with token protection, you must use the MK Player advanced testing page to validate playback.

  1. Navigate to the Assets page and select your preferred streaming endpoint and streaming locator.
  2. Copy the streaming URLs and license acquisition URLs. You will need these values for the MK Player page.
  3. Paste these values in the MK Player page.
  4. To send a JWT token for authentication, include it in the License request headers field. The JWT token should be {"Authorization":"Bearer=<jwtToken>"}.
  5. Click Play.

Configuring MKPlayer for playback with content protection enabled

Ensure that you've installed the latest version of MKPlayer SDK and have completed the Getting Started steps in the player documentation for basic playback. Next, follow the instructions below to enable content protection in your player.

  1. Navigate to the Assets page and select your preferred streaming endpoint and streaming locator.
  2. Copy the streaming URLs and license acquisition URLs. You will need these values for configuring the source object in the next step.
  3. Now we will proceed to configure the player starting at Step 5 from the Getting Started section of the player documentation, we will need to prepare a valid source configuration object to configure on the player to start playback with content protection enabled as below:
const sourceConfig = {
  title: "Title for your source",
  description: "Description for your source",
  hls: "HLS URL as copied from the Assets page",
  dash: "DASH URL as copied from the Assets page",
  drm: {
    // For Safari Browser with HLS + Fairplay Content Protection
    fairplay: {
      LA_URL: "Fairplay License URL as copied from the Assets page",
      certificateURL: "Fairplay Certificate URL as copied from the Assets page",
      headers: {
        // If you have any authorization tokens to configure
        "Authorization": "Bearer=<jwtToken>"
      }
    },
    // For Chrome, Edge browsers
    widevine: {
      LA_URL: "Widevine License URL as copied from the Assets page",
      headers: {
        // If you have any authorization tokens to configure
        "Authorization": "Bearer=<jwtToken>"
      }
    },
    // For Edge (Windows) browser
    playready: {
      LA_URL: "Playready License URL as copied from the Assets page",
      headers: {
        // If you have any authorization tokens to configure
        "Authorization": "Bearer=<jwtToken>"
      }
    }
  }
};

Note: For content-protected playback, each platform or browser has a preferred DRM system. As such, selecting the right combination in the source configuration above is crucial for proper playback. If you're uncertain, you can list multiple DRM systems in the above code snippet; the player will automatically choose the most suitable one for playback.

  1. With the above source configuration now prepared, we're ready to start playback by calling player.load API as below:
player.load(sourceConfig)
.then(() => {
    // you can also get notified when subscribed to `SourceLoaded` event.
    console.log("Source loaded successfull!");
})
.catch((error) => {
    console.error("An error occurred while loading the source!);
});
  1. Please refer to the player documentation for more details.