- 23 Jul 2025
- Drucken
Token Protection
- Aktualisiert am 23 Jul 2025
- Drucken
Token protection
LiveStream Pro supports the protection of events by a token. That means, that a LSPRO Viewer URL can only be accessed, if the token is valid.
The generation of a token needs to be handled by the integrating service, typically a web portal or mobile application, where the livestream is integrated via iFrame.
Shared Secret
The SharedSecret, relevant to implement the token generation, is pre-generated and available in the Security panel.
Calculating the HMAC Signature
Required Authentication Information
Information | Description |
---|---|
webcast-id | The ID of the LiveStream Pro Event |
exp-time | The Time at which the signature expired (epoch timestamp) |
Shared secret | Can be found in the channel settings in the security tab. |
HMAC message schema
The message is the basis for the calculation of the signature. It is composed as follows:
{"webcast-id":"%webcastId%","exp-time":"%expiryTime%"}
You will find the LiveStream Pro ID at the end of the sharing link:
Code Examples
PHP (with sprintf)
<?php
$webcastId = "212zpS6bjN77eixPUMUEjR";
$sharedSecret = "abc123";
$hexedSharedSecret = "616263313233"; // the hexadecimal representation of the given shared secret "abc123" ( bin2hex('abc123') )
$lifeTime = 5;
function generateToken($webcastId, $hexedSharedSecret, $lifeTime)
{
$expiryTime = time() + ($lifeTime*60);
$data = sprintf("{\"webcast-id\":\"%s\",\"exp-time\":\"%s\"}" , $webcastId, $expiryTime);
$hash = hash_hmac ( "sha256", $data , hex2bin($hexedSharedSecret) );
$token = sprintf ("%s~%s", $expiryTime , $hash);
return $token;
}
$token = generateToken($webcastId, $hexedSharedSecret, $lifeTime);
echo $token;
?>
PHP (with json_encode)
<?php
$webcastId = "212zpS6bjN77eixPUMUEjR";
$sharedSecret = "abc123";
$hexedSharedSecret = "616263313233"; // the hexadecimal representation of the given shared secret "abc123" ( bin2hex('abc123') )
$lifeTime = 5;
function generateToken($webcastId, $hexedSharedSecret, $lifeTime)
{
$expiryTime = time() + ($lifeTime*60);
$hashPattern = [
'webcast-id' => '%s',
'exp-time' => '%s',
];
$data = sprintf(json_encode($hashPattern), $webcastId, $expiryTime);
$hash = hash_hmac ( "sha256", $data , hex2bin($hexedSharedSecret) );
$token = sprintf ("%s~%s", $expiryTime , $hash);
return $token;
}
$token = generateToken($webcastId, $hexedSharedSecret, $lifeTime);
echo $token;
?>
Testing your HMAC-Implementation
The code samples convert "lifeTime" of the token (in minutes) to "expiryTime" (the Unix epoch timestamp representing the exact second the token will expire). This means the code generated will be different every time you calculate it even if you input the same values (the lifeTime is converted to seconds and added to the current epoch time). You can check your output by testing with a specific expiryTime instead of calculating it.
HMAC Example
You can test your HMAC-implementation with the following parameters:
Parameter | |
---|---|
webcast-id | 212zpS6bjN77eixPUMUEjR |
sharedSecret | abc123 |
hexedSharedSecret | 616263313233 (the hexadecimal representation of the given shared secret "abc123") |
expiryTime | 1671037090 |
The message should look like:
{"webcast-id":"212zpS6bjN77eixPUMUEjR","exp-time":"1671037090"}
The following signature should be calculated with these parameters:
1671037090~09aeed76b483c0e4d34bdd1df6b4843dd436d8daf38f00cd13d6f62217d763e1
Usage of the Token
The token needs to be added to the URL of the LiveStream Pro event as a URL parameter.
https://lspro.movingimage.com/view/mgh0YQsb7hJvw7Lj922HO?hmac-token=1671037090~09aeed76b483c0e4d34bdd1df6b4843dd436d8daf38f00cd13d6f62217d763e1