How to use Token-based Access Revocation

Token-based access revocation ("access revocation") lets you generate a "revocationlist" of specific Token Authentication tokens to block access requests that include them. This helps to prevent token sharing between end users.

Before you begin

You set up access revocation with the Segmented Media Protection behavior in an AMD property, and you also need to use the Access Revocation API for configuration. Both require the following:

  • You need to have it added to your contract. Work with your account representative ("rep") to ensure your contract includes the AdaptiveMediaDelivery::AccessRevocation product.
  • Meet the API's prerequisites. Before you use the Access Revocation API for any operation, you must meet all of the requirements covered in the Get started section of the API's documentation.
Note: You typically can't use access revocation if you have a custom Token Authentication scenario. A custom scenario is one that's set up by your account rep. It's outside of simply using the default scenarios you can define using settings in the Segmented Media Protection behavior. If you have a custom scenario, contact your account rep to see if you can use access revocation.

First, you need to create a token and set its "session ID"

Access revocation uses a specific value included in a token—its session identifier ("session ID"). A session ID lets you control the level used to revoke the token. Here are a few example cases:

  1. You can use a unique session ID for each session to revoke that playback session. The stream thief will have to log back in to restart playback, and then re-share the URL with the unauthorized users all over again. This isn't a complete deterrent, but it makes it inconvenient to pirate content.
  2. You can use the specific user ID as the session ID. This blocks the specific user from accessing all content that's served through your AMD property for 24 hours.
  3. You can use a composite session ID for a specific user ID and content combination. For example, if the stream thief is sharing a live event link, he wouldn't be able to access the live event for playback himself during its duration or for 24 hours, whichever is earlier.

Use the process discussed in Generate the token and apply it to your content to define the token and extract its session_id value for use later in this process.

Next, you need to create a blacklist

You create a blacklist using the Access Revocation API. The API also lets you manage your identifiers as well as review your blacklists.

Important: Before you use the Access Revocation API for any operation, you must meet all of the requirements covered in the Get started section of the API's documentation.
  1. If necessary, work with your account representative to obtain the Akamai contractId assigned to your instance of Access Revocation.
  2. Build a new blacklist object. Include a unique name for the blacklist. It can only contain alphanumeric and dash characters. Also, include your applicable contractId.
  3. POST the object to /taas/v1/blacklists.
    POST /taas/v1/blacklist
    
    {
        "name": "Baseball-ws-2019",
        "contractId": "1-ABCDE"
    }    

The operation responds with a blacklist object. Make note of the id value from the response. This is its blacklistId.

{
    "id": 1,
    "name": "Baseball-ws-2019",
    "contractId": "1-ABCDE"
}
Note: You can only have a single blacklist.

Then, you need to enable the blacklist in Property Manager

You need to enable and configure the Token Authentication behavior as normal, but you need to ensure that you set the following, to enable access revocation and add your blacklist:

  • Enable Session-Id. Set Advanced Options to "On" and ensure that the Session-Id slider in the Field Carry-Over options is set to "Yes." This ensures that the session_id in the token in a request from an end user is reviewed against what you've set in your blacklist, to determine access.
  • Set Token Based Access Revocation options. Set these options as follows:
    • Set the Token Revocation slider to "On."
    • Select the Blacklist Name. Use this drop-down to select the blacklist you created using the API.


Finally, you revoke tokens

Once your AMD property is live on the Akamai production network and delivering your content, use the Access Revocation API to revoke offending tokens. You add individual "identifier" objects to the blacklist that contain of the unique session_id set in the offending token.

  1. Ensure you have the following:
    • blacklistId. This is the id that was generated for your blacklist after you created it.
    • session_id. Get this from the access token that you’ve configured to support Token Authentication. This value serves as the token identifier id.
  2. Build a new identifier array. Add an object for each token you want revoked. Include the identifier id for each, and optionally include the durationSeconds member to set a time to live for the revocation. After this period, tokens are "unrevoked" and can be used again to access content.
  3. POST the object to /taas/v1/blacklists/{blacklistId}/identifiers/add.
    POST /taas/v1/blacklists/{blacklistId}/identifiers/add
    
    [
        {
            "id": "<session_id of a token to be blocked>",
            "durationSeconds": 18000
        },
        {
            "id": "<session_id of a token to be blocked>",
            "durationSeconds": 3600
        }
    ]

The operation responds with the metadata object that shows the current count of token identifiers in the blacklist and the maximum number of identifiers it can house.

{
    "count": 500,
    "limit": 25000
}
Note: You can have a maximum of 25,000 identifiers in a single blacklist.

You should use bulk update

When setting up your workflow to revoke tokens via the API, try to include as many identifier objects as possible in a single revoke operation. If you need to set up multiple operations, issue them individually over some interval of time, for example one every 30 seconds.

Note: You're limited to a total of 20 operations per minute with the Access Revocation API. See the Access Revocation API documentation for details on how rate limiting is applied.

FAQ

Question Answer
How long does it take to revoke? Revocation time is five minutes from the time an offending token is discovered until Akamai begins the "durationSeconds" TTL.
Are there other API operations?

Yes

What's above is just the basic workflow to add access revocation. The Access Revocation API offers several more operations you can use. For example, you can review your blacklist stats and even "unrevoke" a token you've previously revoked. See the Access Revocation API v1 documentation for details.

Can it be use with Watermarking?

Yes

When a valid user requests content, watermarking distributes segments of content based on a pattern that’s unique to that user—a "watermarking token (WMT)." If your content is pirated or redistributed, you can analyze the content and extract the user’s WMT to identify the user that originally leaked the content.

You can also use access revocation to deny access to requests that include a WMT that's been flagged. See Watermarking with Access Revocation.