Authentication Flow
Every API call is authenticated using server-side generation of an API token. This token is created using an HMAC MD5 hash of your API secret, the IP address of the client requesting the token, and a timestamp, to find out how to generate this code follow the steps on this below. The token is then passed to the client-side code as a hexadecimal string, so that the client-side code can perform an authenticated request to the Streaming or Player APIs.
Your API secret should never be exposed to the public. In case of abuse, or if you have reasons to believe your API secret has been exposed, please contact the Integrations team to request a new secret.
Authentication Flow Diagram
As shown, the end-to-end authentication flow is as follows:
The end-user (client) wants to view content. In order to make this request, the client must have a valid authentication token. The client requests this authentication token from the operator’s back-end.
The operator's back-end/server generates a token and returns it to the client. This token should have the operator secret, ip address of the client, and the timestamp hashed into it.
The client makes a request to the Streaming API for a playback URL.
The stream URLs are passed to the operator’s video player.
For the Player/Thumbnail API - replace 3) above with a call to the Player/Events/Thumbnail API rather than to the Streaming API
All Events API requests need to be made server-side and not client-side - If they are made client side these requests will fail.
For Streaming API requests, it is imperative that the IP address of the client is the IP address that is hashed into the authentication token. If not, this will very likely result in a 401 response from the Streaming API.
Last updated
Was this helpful?