Watermarking with Access Revocation
You can use third-party Watermarking-based piracy detection services along with our Access Revocation feature to revoke access to a live session that's been flagged as a piracy source. This requires a mapping between the Watermark and the authentication ("auth") token.
What is Access Revocation?
Access Revocation lets you include auth tokens in a "revocation list." Requests that include these tokens are blocked from accessing your content. You generate a token revocation list using the Access Revocation API, include identifiers associated with the offending auth token in the list, and then apply that revocation list in your AMD property configuration.
Before you begin
This workflow requires three services for your AMD property configuration. You need to work with your account representative to ensure you have them on your contract:
- Access Revocation.
- Segmented Media Protection. This is a recommended behavior and should be available by default.
Understand the "roles"
There are three roles in this workflow:
- The content provider. The owner of the content being requested. The content provider makes the decision to use watermarking.
- The service provider. The entity that’s responsible for distributing content for the content owner. The service provider typically works with the watermarking vendor to generate watermarking tokens.
- The watermarking vendor. This is a third-party, supported vendor that sets up your content as well as generates and issues the watermarking tokens used in the process.
- The end user. The individual using a player or client app to request the content.
- The content provider establishes a relationship with the service provider to distribute watermarked content.
- The service provider generates an
auth token to protect the target content. A "
session_id" is set up in that token.
- When an end user requests the URL to play content, the service provider interfaces with the watermarking vendor to request a watermarking token (WMT) for the end user. The WMT contains a unique "watermark ID" for that specific end user.
- The watermarking vendor returns the WMT to the service provider.
- The service provider
maintains a mapping between the
session_idand the watermark ID.
- The end user's player uses the playback URL that was retrieved from the service provider, to start playback by fetching content from Akamai.
- When the watermarking vendor detects piracy or re-streaming, they pull the watermark ID from the content and communicate it to the service provider.
- At this point, either
the watermarking vendor or the service provider can revoke access, using the
session_idthat was set in the auth token.
How to revoke access
Here, we revoke access by generating a revocation list based on the
session_id in an
auth token that's been mapped to a “bad” WMT. You need to create an revocation list
and add the offending auth token's
session_id to it to mark
it for revocation.
- Work with a supported watermarking vendor to set up your content and the WMTs.
- Enable Token Authentication in your AMD property configuration, and also apply cookie-less token auth. Note the Encryption Key value you set.
- Generate a token for access to your content, and include a
session_idin that token.
- Add a revocation list using the Access Revocation
API, and store its "
id." (This is also referred to as the "
revocation-listId.") This process varies, based on the version of the API in use:
- Use the
revocation-listIdto set up Access Revocation in your AMD property configuration in Property Manager.
- Set up Watermarking in your AMD property configuration in Property Manager.
- Set up your player for watermarking.
- As requests for content begin,
and a bad WMT is identified, either the service provider or the watermarking
vendor need to store the
session_idthat's been mapped to the watermarking ID in that WMT.
- Either the service provider or
the watermarking vendor can revoke the token using its
session_idin the API: