Appearance
Playback Protection
Prevent unauthorized viewing of your streams.
How it works
- You enable playback protection on a stream in the Dashboard.
- The player SDK requests a playback token from your API before playing.
- The token is a signed JWT that includes the viewer's IP and an expiry time.
- The CDN validates the token on every playlist/segment request.
- If the token is missing, expired, or the IP doesn't match — playback is denied.
Enable protection
Go to Dashboard → Streams → your stream → Playback tab → toggle "Playback Protection" on.
Authentication methods
Stream Key (recommended for most cases)
A secret key tied to your stream. Pass it to the player SDK:
js
const player = new XStreamsPlayerShaka({
container: document.getElementById('player'),
streamId: 'YOUR_STREAM_ID',
tokenEndpoint: 'https://api.yoursite.com/api/v1/ssai/YOUR_STREAM_ID/token/',
options: {
streamKey: 'sk_abc123...', // from Dashboard → Playback → Secret Key
},
});Get your stream key from Dashboard → Streams → your stream → Playback → Secret Key.
Session Auth (for logged-in users on your site)
If viewers are already logged in to your website:
js
options: {
sessionAuth: true, // sends browser cookies
}This only works when the player is on the same domain as your API, or you have CORS with credentials: include configured.
Origin whitelist
Restrict which domains can embed your player:
- Go to Dashboard → Streams → your stream → Playback.
- Add allowed origins (e.g.,
https://yoursite.com,https://app.yoursite.com). - Requests from other origins will be rejected.
Token lifecycle
- Tokens are valid for 15 minutes.
- The SDK automatically refreshes the token before it expires.
- Viewers never see a token error — refresh happens silently in the background.
- If refresh fails (e.g., network down), the SDK retries and shows an error only after all retries fail.