Ooyala Player Token for Player V3 (Deprecated)

Note: This topic describes Ooyala Player Token functionality in Player V3, which has been deprecated. For Player V4, see Ooyala Player Token for Player V4.

Ooyala provides content publishers and providers with the ability to secure digital content with the Ooyala Player Token, which is one of Ooyala's content protection solutions.

Note: Available only if your Ooyala account includes this functionality. To enable Ooyala Player Token, contact your account manager.

You can use the Ooyala Player Token to protect you from users who may try to make unauthorized use of your digital content. For example, a user may take the embedded player Javascript (.js) script tag generated in Backlot and distribute it without permission to others for replay, or attempt other similar replay attacks.

To prevent such unauthorized usage, Ooyala provides the Ooyala Player Token, which helps protect your content from these types of risks. You can use this feature to secure your monetized content and prevent unauthorized distribution.

The Ooyala Player Token feature provides you with a secure process that authenticates the player before it allowing it to replay your digital content. Token-based authentication ensures that your digital content cannot be downloaded or played until the client player has been authenticated. Once the client player is authenticated, the client player is authorized to play the requested content.

Using the Ooyala Player Token

For more information on how to build web applications with the Ooyala Player JavaScript API, see Developing with the Player V3 JavaScript API (Deprecated).s

Step 1: Set up the Ooyala Player Token in Backlot

The Backlot UI provides you with an option to secure your content by setting a Syndication group flag adding your content assets to this syndication group. This will enable you to set up your web page to run your player(s), and send the authorization token. Follow these steps to secure your content in Backlot:

Securing Playback Content with the Ooyala Player Token

Follow these steps to secure your content in Backlot:

  1. Log in to your Backlot account.
  2. Click the PUBLISH tab, and select the Syndication Controls tab.
  3. Select a video from a syndication group, or set up a syndication group and then select your video.
  4. In the Syndication Controls pane, click the Require Ooyala Player Token checkbox.
  5. (Optional) In the Expiration field, set the expiration time (in seconds) for the viewing session. If you do not specify a time, the recommended default of ten minutes is used. The field only accepts numeric entries (for example, 600). You may set a longer expiration time for the token if you prefer, since the Same Origin Policy protects its distribution. For more information about the expiration time, see Ooyala Player Token Expiration.
  6. Click the MANAGE tab, and select the Embed tab.
  7. Click the Copy button to get the player JavaScript <script> tag to paste into your web page. This content must be in the syndication group in which you specified the Ooyala Player Token as a required option.

Step 2: Create a Basic HTML Page

Create a basic HTML page that includes a call to OO.Player.create(). For a complete tutorial, see Basic Tutorial for the HTML5 Player V3 (Deprecated).
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>My Test Player V3 Web Page</title>
 
        <!-- Load Ooyala Player -->
        <script src="http://player.ooyala.com/v3/f6d2bba353f74b3db7683cf6b0a91f29?platform=html5-priority">
        </script>
 
        <!-- Load additional custom modules -->
    </head>
 
    <body>
        My Player V3 Content:<br/><br/>
 
        <!-- Player Placement -->
        <div id="ooyalaplayer" style="width:640px;height:360px"></div>
 
        <script>
            OO.ready(function() {
                OO.Player.create(
                    'ooyalaplayer', 
                     "A5eXRtcjpb6AEKizxldiaThNBmL9GWGU", {
                     }
                );
            });
        </script>
    </body>
</html>
Note: While this basic example illustrates the token request value on a web page, it is recommended that you do not actually store such information on static web pages since token requests contain sensitive information.

Step 3: Specify the embedToken Embedded Parameter

In the call to OO.Player.create(), specify embedToken as an embedded parameter:

OO.Player.create(
                    'ooyalaplayer', 
                    "A5eXRtcjpb6AEKizxldiaThNBmL9GWGU", { 
                        embedToken : 'token value to be added here'
                    }
                );

You can see this in the code shown below :

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>My Test Player V3 Web Page</title>
 
        <!-- Load Ooyala Player -->
        <script src="http://player.ooyala.com/v3/f6d2bba353f74b3db7683cf6b0a91f29?platform=html5-priority">
        </script>
 
        <!-- Load additional custom modules -->
    </head>
 
    <body>
        My Player V3 Content:<br/><br/>
 
        <!-- Player Placement -->
        <div id="ooyalaplayer" style="width:640px;height:360px"></div>
 
        <script>
            OO.ready(function() {
                OO.Player.create(
                    'ooyalaplayer', 
                    "A5eXRtcjpb6AEKizxldiaThNBmL9GWGU", {
                        embedToken : 'token value to be added here'
                    }
                );
            });
        </script>
    </body>
</html>

Step 4: Construct and Assign the Token Request Value

Now you are ready to construct the token request value and assign it to the embedToken embedded parameter. The value is specified in the form of a URL that has the segments shown in the table below:

URL Segment Description
Protocol and domain http://player.ooyala.com
Request path /sas/embed_token/{pcode}/{comma-separated embed codes}
Query string parameters
?account_id={optional account ID}
&api_key={apikey} 
&expires={expiration time} 
&return_json=1
&signature={computed signature} 

You will learn how to specify all the required values shown in the table.

In this example, the following values are used (see below for detailed instructions on how to construct these values):
  • pcode: F0Y2E6qDLc1XS9yvdR48ulAQ2t1
  • embed code: A5eXRtcjpb6AEKizxldiaThNBmL9GWGU
  • apikey: F0Y2E6qDLc1XS9yvdR48ulAQ2t1.yRIJm
  • expiration time: 1483688253
  • computed signature: sp4Cew3qqX1iBrlKSfjlryuPlbHIaLMzLh7/f39IBM4
Note: The return_json query parameter is optional. Set this parameter to 1 if you would like the authentication token to be returned in the JSON response.
Here is the call to OO.Player.create() that includes the token request value:
OO.Player.create('ooyalaplayer', "A5eXRtcjpb6AEKizxldiaThNBmL9GWGU", { 
  embedToken : 'http://player.ooyala.com/sas/embed_token/F0Y2E6qDLc1XS9yvdR48ulAQ2t1/A5eXRtcjpb6AEKizxldiaThNBmL9GWGU?api_key=F0Y2E6qDLc1XS9yvdR48ulAQ2t1.yRIJm&expires=1483688253&signature=sp4Cew3qqX1iBrlKSfjlryuPlbHIaLMzLh7/f39IBM4'
});

See Complete Web Example: Authorize Playback and Obtain a Token.

You will need the values described above. To retrieve these, follow the directions shown in this table:

Value Description
apikey If API access is enabled for your account, Ooyala provides you with an API Key. This is a required field. For more information about the API Key, see General Algorithm for Signing Requests.
pcode You can get this partner code (pcode) information for a particular provider from your Ooyala Backlot Web Account. Select the Account tab and click Developers. The API Key contains two sets of characters separated by a period (.). The set of characters to the left of the period is the pcode. This is a required field.
comma-separated embed codes You supply one or more embed codes that represent the players that will be embedded on the page. You can use up to 50 embed codes. You may specify a value of all if you would like to create the playback token for use with multiple assets (over 50 embed codes). This is useful when using the rights locker with applications that want to create the playback token for multiple assets.
expirationTime The POSIX time at which point the token expires. Use a short expiration time on the URL snippet so that the snippet cannot be replicated across other domains (more precisely, it can be embedded, but will become nonfunctional).
account_id (Optional) Your account or user identifier. While not always necessary in the Ooyala Player Token, the account_id is required for working with entitlements (such as eCommerce), concurrent stream limits, cross-device resume, or device registration. Use this parameter in conjunction with Rights Locker and Device Registration API.
computedSignature (This must be the last parameter.) Generate this signature on the server by following the instructions provided in General Algorithm for Signing Requests.

Complete Web Example: Authorize Playback and Obtain a Token

In the following example, when the embedded player is loaded, the event triggers the communication of the token request URL to the player. The player then requests authorization and a token from the Ooyala authorization server, using the token request. Depending on whether the request made justifies playback, either a valid token and authorized response is returned, or an invalid token and an unauthorized response is returned.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>My Test Player V3 Web Page</title>
 
        <!-- Load Ooyala Player -->
        <script src="http://player.ooyala.com/v3/f6d2bba353f74b3db7683cf6b0a91f29?platform=html5-priority">
        </script>
 
        <!-- Load additional custom modules -->
    </head>
 
    <body>
        My Player V3 Content:<br/><br/>
 
        <!-- Player Placement -->
        <div id="ooyalaplayer" style="width:640px;height:360px"></div>
 
        <script>
            OO.ready(function() {
                OO.Player.create('ooyalaplayer', "A5eXRtcjpb6AEKizxldiaThNBmL9GWGU", {
                        embedToken : 'http://player.ooyala.com/sas/embed_token/F0Y2E6qDLc1XS9yvdR48ulAQ2t1/A5eXRtcjpb6AEKizxldiaThNBmL9GWGU?api_key=F0Y2E6qDLc1XS9yvdR48ulAQ2t1.yRIJm&expires=1483688253&signature=sp4Cew3qqX1iBrlKSfjlryuPlbHIaLMzLh7/f39IBM4'
                });
            });
        </script>
    </body>
</html>

Was this article helpful?