Skip to main content

Documentation Index

Fetch the complete documentation index at: https://gcore.com/docs/llms.txt

Use this file to discover all available pages before exploring further.

Secure token for video delivery

Video CDN can protect ABR video streaming protocols such as HLS and MPEG-DASH. For this workflow, enable two CDN resource options:
  • Secure Token: validates temporary access to the video URL.
  • Query String Forwarding: forwards token parameters from the master manifest to nested manifests, segments, and subtitles.

Secure Token

Enable Secure Token option in a CDN-resource settings when you need to protect HLS or MPEG-DASH video from copied links, unpaid access, or long-term sharing. A secure token adds temporary access parameters to the video URL, for example: 
http://demo-files-protected.gvideo.io/coffee_run/master.m3u8?md5=eBx15p01_a9JNuo1iZpTfQ&expires=1893456000&other=parameter
When the token is valid, CDN returns video manifests and segments with 200 OK. When the token expires, CDN returns 403 Forbidden or 410 Gone, so the file cannot be downloaded with the expired URL anymore.
Expired secure token returns 410 for a video segment

Query String Forwarding

HLS and MPEG-DASH are not single-file downloads. The player first requests a master manifest, then follows links inside it to rendition manifests, segments, subtitles, and other related files. For protected video in ABR streaming using protocols HLS or MPEG-DASH enable Query String Forwarding so CDN forwards the token parameters from the master manifest request to related files. For HLS and MPEG-DASH video protected by Secure Token, configure Query String Forwarding with these values:
FieldValues
Forward from file typesm3u8, mpd
Forward to file typesm3u8, ts, mp4, m4s, vtt
Forward only keysmd5, expires
Use m3u8 for HLS manifests and mpd for MPEG-DASH manifests. Use ts, mp4, m4s, and vtt for common nested media and subtitle files. Add other file extensions (e.g. m4a, m4v, etc.) if your manifests reference them and they also need the same query parameters. With Query String Forwarding enabled, a request to: 
/coffee_run/master.m3u8?md5=TOKEN&expires=EXPIRY
is propagated to all nested manifests and segments inside the manifest body automatically.
Query string parameters are inserted into manifest body links automatically
As the result, the video player doesn’t need to operate with tokens for each file, as it reads data from modified manifests instead.
Query string parameters are forwarded from the master manifest to nested manifests and segments

Token path rule

For requests with enabled Secure Token and Query String Forwarding, generate the token for the directory path, not for the exact manifest filename. So the single token will cover all files inside the specified directory. Example: 
/coffee_run/
not separately for each file: 
/coffee_run/master.m3u8
/coffee_run/index-svod720n-v1-a1.m3u8
/coffee_run/segment-1-svod720n-v1-a1.ts
/coffee_run/master.mpd
/coffee_run/dash-init-f1-v1-x3.m4s
/coffee_run/dash-segment-1-f1-v1-x3.m4s
...
The token works for all files inside the directory /coffee_run/. But it does not cover subdirectories. For full setup instructions, see Configure and use Secure Token and Query String Forwarding. Use these links to check how Secure Token and Query String Forwarding work with a real HLS stream: Links to demo files are valid until January 1, 2030. Screenshot:
Protected MPEG-DASH stream opened in dash.js player

Next steps

CDN logs

View CDN requests and status codes to debug token validation and segment access

Improve video delivery speed

Optimize cache hit ratio and delivery performance for video streaming

Auto-refresh secure tokens

Refresh short-lived tokens in the player for uninterrupted protected playback

Create a video CDN resource

Complete setup instructions to create a CDN resource for video streaming