How to Secure My Content With Signed Keys?

By Harmonie Duhamel

3 Min Read

banner image featured
author avatar

Harmonie Duhamel

Harmonie is a Senior digital marketer with over 6 years in the Tech Industry. She has a strong marketing and sales background and loves to work in multilingual environments.

    Share this post

    Sign up for a 14-Day trial.

    • Start streaming in minutes
    • 10 GB of free bandwidth on us
    • No credit card required

      Signed Keys are an alternative to Domain Control for preventing your videos from being embedded where you don’t want them to be. Whereas Domain Control security is based upon verifying the referrer information sent by the embedding user agent, a user signed security is based upon verifying a signature appended to your embed code that is generated using a secret signing key shared by you and Dacast.

      Typically, Signed Keys are intended for use in applications that are dynamically generating HTML content. Signed Keys allow you to set an expiry time for your embed code so that a particular embed code is only valid for a limited time into the future. When your application generates an HTML document with an embedded video, it also generates a signed embed code, specific to that page, which is only valid for a short time into the future. If your pages are static, you can’t use Signed Keys as the key has to be generated in real-time.


      Normally, when you embed a Dacast video on your site, you simply use the Dacast generated embed code to do so. It looks something like this:

      <iframe src="”………</iframe>

      When using Signed Keys, you continue to use the same embed code, however, an additional parameter is appended to the src attribute in the iframe. It looks something like this:

      <iframe src="”………</iframe>

      The uss_token parameter is dynamically generated by your application using your secret signing key, and Dacast will not serve the video unless the token is valid and has not expired. User signed security also applies to playlist embeds.

      Enabling Signed Keys

      Signed Keys can be enabled in the security settings section of your settings page. Note that you will also have to generate a signing key on the same page before Dacast will apply user signed security checks to your videos:

      Signed Keys feature dacast

      Generating signed embed code URLs

      There are three ways you can generate the uss_token parameter to append to your embed code. 

      The first works for individual videos only (not playlists) and is specific to the video being embedded. That is, a token generated for a particular video cannot be used for other videos you own.

      The second method generates a token that will be valid (until it expires) for any of the videos you own. This can be useful if you are creating a page that embeds a number of different videos and you do not want to generate video-specific tokens for each embed. It is also the required method if you are embedding a playlist.

      The third is similar to the first, except it also requires you to specify the format (video/download/source) so that you can allow only playback but not downloads with that token.


      Video-Specific Tokens

      To generate a    USS token, you first pick an expiry time for the token. Typically, you would pick a time a few minutes or so in the future (Note that ideally your system time should be synced using NTP or a similar protocol so your system thinks it is the same time that Dacast’s system does). The time you pick should be in UTC, and converted to a string of the format:


      So, for example, the 10th of July, 2021, 07:18:22 PM (UTC) would be expressed as:


      The uss_token parameter is then generated as the following string:


      where `<expiry_timestamp>` is the timestamp string generated above, `<content_id>` is the Content ID of the video you are embedding, and `<signing_key>` is your signing key found on the Dacast settings page. MD5() is a function that computes the MD5 hash of a given string.


      User-specific Tokens

      This token type does not require the video id and will be valid for any of your videos as well as your playlists. The method for constructing the token is similar to video-specific tokens. The final token is computed as:


      The differences are the token is now prefixed with ‘3.’, and the video id is no longer included in the hashed string.

      Format-specific Tokens
      Similar to the video-specific token, except it requires you to specify one of video/download/source, depending on what you want to allow:




      Language Examples
      Here are a few examples of generating user signed security tokens in some common server-side languages:


      	require 'digest'
      	# Expire in 2 minutes time
      	expiry_timestamp = ( + 120).strftime("%Y%m%d%H%M%S")
      	signing_key = "000033337777aaaa222233334444bbbb"
      	video_id = 920344
      	# Generate a video-specific token
      	signature_vs = Digest::MD5.hexdigest(
      token_vs = "2.#{#{signing_key}".#{signature_timestamp}
      # Generate a user-specific token
      signature_us = Digest::MD5.hexdigest(
         token_us = "3.#{expiry_timestamp}.#{signature_us}"
       # Generate a video- and format-specific token
       # This allows only playback, not downloads
       signature_fs = Digest::MD5.hexdigest(
      token_fs = "4.#{expiry_timestamp}.#{signature_fs}"
      # This allows only download, not playback
      signature_fs = Digest::MD5.hexdigest(
      token_fs = "4.#{expiry.timestamp}.#{signature_fs}""


      // This example requires the apache common-codec library
      	//	(
      	import org.apache.commons.codec.digest.DigestUtils;
      	import java.text.SimpleDateFormat;
      	import java.util.Date;
      	import java.util.Timezone;
      	public class DacastUssTokens {
      		public static void main(String)[] args) {
      			SimpleDateFormat dateFormat = new SimpleDateFormat("yyyMMddHHmmss");
      			String expiryTimestamp = dateformat.format(
      					new Date(System.currentTimeMillis() + (120 * 1000)));
      			String signingKey = "000033337777aaaa222233334444bbbb";
      			int videoID = 920344;
      			// Generate a video-specific token
      			String signatureVs = DigestUtils.md5Hex(
      					String.format("%d:%s:%s", videoId, signingKey, expiryTimestamp));
      			String tokenVs = String.format("2.%s.%s", expiryTimestamp, signatureVs);
      			// Generate a user-specific token
      			String signaturesUS = DigestUtils.md5Hex(
      					String.format("%s:%s", signingkey, expiryTimestamp));
      			String tokenUs = String.format("3.%s.%s", expiryTimestamp, signatureUs);
      			// Generate a video- and format-specfic token
      			// This allows only playback, not downloads
      			String signatureFs = DigestUtils.md5Hes(
      					String.format("%s:%s:%s", "video", videoId, signingKey, expiryTimestamp
      			String tokenFs = String.format("4.%s.%s", expiryTimestamp, signatureFs);
      			 // This allows only downloads, not playback
      			 String signatureFs = DigestUtils.md5Hex(
      			 		String.format("%s:%d:%s:%s", "video", videoId, signingKey, expiryTime
      			 String tokenFs = String.format("4.%s.%s", expiryTimestamp, signatureFs);
      		# Epire in 2 minutes time
      		$time = new DateTime('now', new DateTimeZone('UTC'));
      		$time -> modify("+2 minutes");
      		$expiry_timestamp = $time -> format{'ymdHis'};
      		$signing_key = "000033337777aaaa222233334444bbbb";
      		$video_id = 920344;
      		# generate  video-specific token
      		$signature_vs = md5("{expiry_timestamp}.{$signature_vs}");
      		$token_vs = "2.{$expiry_timestamp}.{$signature_vs}";
      		# Generate a user-specific token
      		$signature_us = md5("{signing_key}:{$signature_timestamp}";
      		$token_us = "3.{$expiry_timestamp}.{$signature_us}";
      		# Generate a video- and format-specific token
      		# This allows only playback, not downloads
      		$signature_fs = md5("video_id}:{$signing_key}:{$sexpiry_timestamp}");
      		$token_fs = "4.{$expiry_timestamp}.{$signature_fs}";
      		# This allows only downloads, not playback
      		$signature_fs = md5("download:{$video_id}:{signing_key}:{$expiry_timestamp}";
      		$token_fs = "4.{$expiry_timestamp}.{$signature_fs}";


      We do not have full example C# code at this time as we are not .NET engineers. However, the core issue is creating an MD5 hash of the string. There’s an article here that explains exactly how to do that:  How do I calculate an MD5 hash from a string?

      author avatar

      Harmonie Duhamel

      Harmonie is a Senior digital marketer with over 6 years in the Tech Industry. She has a strong marketing and sales background and loves to work in multilingual environments.

      Free 14-Day Trial

      • Start streaming immediately
      • No credit card required
      • 10 GB of bandwidth
      Read Next

      Read Next

      article featured

      How to set up Multiple Payment Method with your Dacast account?

      author avatar

      Samantha Lo

      1 Min Read

      article featured

      VOD To Live

      author avatar

      Samantha Lo

      2 Min Read

      article featured

      Type of channels Dacast Offers

      author avatar


      2 Min Read

      Subscribe Now

      Stay up-to-date with the latest features and product releases. Cool tips, expert advice and more.