Watermarking with Access Revocation
You can use third-party Watermarking-based piracy detection services along with our Access Revocation feature to revoke access to a live session that's been flagged as a piracy source. This requires a mapping between the Watermark and the authentication ("auth") token.
What is Access Revocation?
Access Revocation lets you include auth tokens in a "blacklist." Requests that include these tokens are blocked from accessing your content. You generate a token blacklist using the Access Revocation API, include identifiers associated with the offending auth token in the list, and then apply that blacklist in your AMD property configuration.
Before you begin
This workflow requires three services for your AMD property configuration. You need to work with your account representative to ensure you have them on your contract:
- Segmented Media Protection. This is a recommended behavior and should be available by default.
- Access Revocation.
Understand the "roles"
There are three roles in this workflow:
- The content provider. The owner of the content being requested. The content provider makes the decision to use watermarking.
- The service provider. The entity that’s responsible for distributing content for the content owner. The service provider typically works with the watermarking vendor to generate watermarking tokens.
- The watermarking vendor. This is a third-party, supported vendor that sets up your content as well as generates and issues the watermarking tokens used in the process.
- The end user. The individual using a player or client app to request the content.
- The content provider establishes a relationship with the service provider to distribute watermarked content.
- The service provider generates an
auth token to protect the target content. A "
session_id" is set up in that token.
- When an end user requests the URL to play content, the service provider interfaces with the watermarking vendor to request a watermarking token (WMT) for the end user. The WMT contains a unique "watermark ID" for that specific end user.
- The watermarking vendor returns the WMT to the service provider.
- The service provider
maintains a mapping between the
session_idand the watermark ID.
- The end user's player uses the playback URL that was retrieved from the service provider, to start playback by fetching content from Akamai.
- When the watermarking vendor detects piracy or re-streaming, they pull the watermark ID from the content and communicate it to the service provider.
- At this point, either
the watermarking vendor or the service provider can revoke access, using the
session_idthat was set in the auth token.
How to revoke access
Here, we revoke access by blacklisting based on the
session_id in an auth
token that's been mapped to a “bad” WMT. You need to create an Access Revocation
blacklist and add the offending auth token's
session_id to it to
mark it for revocation.
- Work with a supported watermarking vendor to set up your content and the WMTs.
- Enable Token Authentication in your AMD property configuration, and also apply cookie-less token auth. Note the Encryption Key value you set.
- Generate a token for access to your content, and include a
session_idin that token.
- Add a blacklist using the Access Revocation API, and
store its "
id." (This is also referred to as the "
- Use the
blacklistIdto set up Access Revocation in your AMD property configuration in Property Manager.
- Set up Watermarking in your AMD property configuration in Property Manager.
- Set up your player for watermarking.
- As requests for content begin,
and a bad WMT is identified, either the service provider or the watermarking
vendor need to store the
session_idthat's been mapped to the watermarking ID in that WMT.
- Either the service provider or
the watermarking vendor can revoke the token using its
session_idin the Access Revocation API.