When a client requests an M3U8 file, this feature automatically appends the authentication parameters from the request to the key URI within the #EXT-X-KEY tag. This secures access to your encryption keys without modifying your origin server and prevents unauthorized video playback.
Use cases
In a standard HLS encryption workflow, the #EXT-X-KEY tag specifies the URI for retrieving the decryption key. If this URI is a fixed, unprotected public address, anyone who obtains the M3U8 file can download the key and decrypt the video content, which renders the encryption ineffective.
To solve this problem, this feature attaches a dynamic, verifiable authentication token to each key request. It is ideal for scenarios that require access control for HLS encryption keys, such as:
Paid video and online education: To prevent users from sharing M3U8 URLs with non-paying users, you can generate a unique authentication parameter for each logged-in user. This ensures that only authorized users can retrieve the decryption key within its validity period.
Live stream copyright protection: For major sporting events or live broadcasts, you can combine dynamically generated authentication parameters with CDN URL authentication. This enables fine-grained access control over the live stream and effectively prevents hotlinking.
How it works
A client sends a request to your application server. Based on your business logic, such as user login, the application server generates an authentication parameter with a validity period and signature (for example,
token=xxxx) and returns it to the client.The client appends this authentication parameter to the end of the M3U8 file request URL and sends an M3U8 request to a CDN point of presence (PoP).
Before returning the M3U8 file, the CDN PoP parses its content, finds the
#EXT-X-KEYtag, and appends the authentication parameter from the client's request URL to the end of the tag'sURIattribute.The client receives the rewritten M3U8 file from CDN and sends a request to the key server using the new key URI, which now includes the authentication parameter.
The key server receives the key request, extracts the authentication parameter from the URL, and validates it. If validation succeeds, it returns the decryption key. Otherwise, it denies the request.
After obtaining the key, the client decrypts the TS video stream and starts playback.
This feature does not encrypt video content. Before you use this feature, ensure that the video segments (TS files) on your origin server are encrypted based on an HLS standard, such as AES-128. The original M3U8 file must also contain the correct #EXT-X-KEY tag. For more information about video encryption, see How to generate and encrypt an M3U8 file.
The application server and key server are described here to help you understand the M3U8 encryption and rewrite feature. This feature does not implement the application server or key server. You must implement their functionalities to complete the HLS key authentication process.
The
#EXT-X-KEYtag specifies whether the content is encrypted. For more information about M3U8 file tags, see What is in an HLS M3U8 file.
Procedure
-
Log on to the CDN console.
-
In the left navigation pane, click Domain Names.
-
On the Domain Names page, find the target domain name and click Manage in the Actions column.
-
In the domain's navigation pane, click Video.
In the M3U8 Encryption and Rewrite section, turn on the M3U8 Encryption and Rewrite switch.
NoteAfter you enable M3U8 Encryption and Rewrite, the default parameter name is
MtsHlsUriToken.Optional: To modify the parameter name to match your client, perform the following steps:
Click Modify next to Custom Parameter Name.
In the Custom Parameter Name dialog box, set Parameter Name.
If you do not specify a value, the parameter name defaults to
MtsHlsUriToken.NoteParameter names are case-sensitive. Make sure the parameter name you set exactly matches the parameter name in client requests. For example, if the client request includes the
MtsHlsUriTokenparameter and you set the custom parameter name in the CDN console tomtshlsuritoken, the configuration does not take effect.Click OK to complete the configuration.
Example
Access the M3U8 file that is accelerated by CDN in your browser and append MtsHlsUriToken=tokenxxxxx to the end of the request. Example: http://<CDN-accelerated domain name>/video.m3u8?MtsHlsUriToken=tokenxxxxx
In your browser's developer tools, the Network panel shows that the request for the M3U8 file includes the custom parameter, but the subsequent key request does not.
In the CDN console, enable M3U8 Encryption and Rewrite. If needed, you can set a custom parameter name (this demonstration uses the default parameter
MtsHlsUriToken). In the CDN console, enable the M3U8 encryption and rewrite feature, and set Custom Parameter Name toMtsHlsUriToken.Repeat Step 1. Access the CDN-accelerated M3U8 file in a browser and append MtsHlsUriToken=tokenxxxxx to the end of the request.
In your browser's developer tools, on the Network panel, you can see that the request for the key address now includes the custom parameter.
The request URL for the key file
encryption_key.keyincludes theMtsHlsUriToken=tokenxxxxxparameter, and the response has a status code of 206 and a Content-Length of 16 bytes.
FAQ
What is the HLS protocol?
HTTP Live Streaming (HLS) is an HTTP-based streaming media transport protocol developed by Apple. It works over HTTP, allowing clients to download files sequentially from a server. The protocol specifies that the video must be in the Transport Stream (TS) container format. In addition to the TS video files, HLS uses a text file with an M3U8 extension to control playback. This M3U8 file is a playlist that contains a list of media segments. HLS works by splitting a video stream into small TS segments. To start playback, a client first downloads the M3U8 playlist. The client then downloads each media segment in sequence using the URLs in the playlist.
What is in an HLS M3U8 file?
Basic tags of an M3U8 file:
#EXTM3U: The M3U8 file header. It must be the first line of the playlist.EXT-X-MEDIA-SEQUENCE: The sequence number of the first TS segment in the playlist. The value is typically 0. In live streaming, this sequence number identifies the starting point of the live segment. For example,#EXT-X-MEDIA-SEQUENCE:0.#EXT-X-TARGETDURATION: The maximum duration of a media segment. For example,#EXT-X-TARGETDURATION:10indicates that the maximum duration of each segment is 10 seconds.#EXT-X-ALLOW-CACHE: Indicates whether the client can cache media segments. The value can be#EXT-X-ALLOW-CACHE:YESor#EXT-X-ALLOW-CACHE:NO. The default value is YES.#EXT-X-ENDLIST: Indicates the end of the playlist.#EXTINF: Extra information about a media segment, such as its duration and bandwidth. The format is typically#EXTINF:<duration>,[<title>]. The value before the comma is the duration of the current media segment. The segment duration must be less than or equal to the value of the#EXT-X-TARGETDURATIONtag.#EXT-X-VERSION: The version number of the M3U8 playlist.#EXT-X-DISCONTINUITY: This tag indicates a break between the preceding media segment and the one that follows.#EXT-X-PLAYLIST-TYPE: Indicates the type of the stream.#EXT-X-KEY: Specifies how to decrypt encrypted media segments. For example:#EXT-X-KEY:METHOD=AES-128,URI="https://example.com/video.key?token=xxx". This example shows that the encryption algorithm is AES-128. The key is obtained by sending a request tohttps://example.com/video.key?token=xxx. After the key is retrieved, it is stored locally and used to decrypt subsequent TS video files.
How to generate and encrypt an M3U8 file?
Generate an encryption key.
This key is typically a 16-byte random string for AES-128 encryption. You can use OpenSSL to generate a key file that contains 16 random bytes by running the following command:
openssl rand 16 > encryption_key.keyPrepare the
key_info.txtfile for encryption. The encryption tool will encrypt HLS video files based on this file.https://example.com/encryption_key.key /path/to/local/encryption_key.keyThe first line is the URL of the encryption key that you generated in Step 1. We recommend that you place the file in a CDN-accelerated OSS origin server and use a CDN-accelerated domain name to access the file.
The second line is the absolute path of the local key file.
Use the
FFmpegtool to generate and encrypt HLS video files.ffmpeg -i input_video.mp4 -c:v copy -c:a copy -hls_time 10 -hls_key_info_file key_info.txt -hls_list_size 0 output_playlist.m3u8-i input_video.mp4: Specifies the video file to convert, such as a video inMP4format.-c:v copy: Copies the video stream directly without re-encoding.-c:a copy: Copies the audio stream directly without re-encoding.-hls_time 10: Sets the duration of eachTSfile to 10 seconds. You can modify this setting based on the duration of the original video.-hls_key_info_file key_info.txt: Specifies the file that contains the encryption key information.-hls_list_size 0: Sets the number ofTSfile indexes to retain in theM3U8file. A value of0indicates that all.tsfile indexes are retained.output_playlist.m3u8: The output HLS playlist file name (that is, theM3U8file name).
Save the encrypted
TSfiles andM3U8files to a server, such as a CDN-accelerated OSS origin server. Then, use a CDN-accelerated domain name in a browser to access theM3U8file to enable encrypted playback of videos that use theHLSprotocol.