Token Protection
  • 23 Jul 2025

Token Protection


Article summary

Token protection

LiveStream Pro supports the protection of events by a token. That means, that a LSPRO Viewer URL can only be accessed, if the token is valid.

The generation of a token needs to be handled by the integrating service, typically a web portal or mobile application, where the livestream is integrated via iFrame.

Shared Secret

The SharedSecret, relevant to implement the token generation, is pre-generated and available in the Security panel.

Calculating the HMAC Signature

Required Authentication Information

Information

Description

webcast-id

The ID of the LiveStream Pro Event

exp-time

The Time at which the signature expired (epoch timestamp)

Shared secret

Can be found in the channel settings in the security tab.

HMAC message schema

The message is the basis for the calculation of the signature. It is composed as follows:

{"webcast-id":"%webcastId%","exp-time":"%expiryTime%"}

You will find the LiveStream Pro ID at the end of the sharing link:

Code Examples

PHP (with sprintf)

<?php
  
$webcastId = "212zpS6bjN77eixPUMUEjR";
$sharedSecret = "abc123";
$hexedSharedSecret = "616263313233"; // the hexadecimal representation of the given shared secret "abc123" ( bin2hex('abc123') )
$lifeTime = 5;
  
function generateToken($webcastId, $hexedSharedSecret, $lifeTime)
{
  $expiryTime = time() + ($lifeTime*60);
  $data = sprintf("{\"webcast-id\":\"%s\",\"exp-time\":\"%s\"}" , $webcastId, $expiryTime);
  $hash = hash_hmac ( "sha256", $data , hex2bin($hexedSharedSecret) );
  $token = sprintf ("%s~%s", $expiryTime , $hash);
  return $token;
}
   
$token = generateToken($webcastId, $hexedSharedSecret, $lifeTime);
echo $token;
?>

PHP (with json_encode)

<?php
  
$webcastId = "212zpS6bjN77eixPUMUEjR";
$sharedSecret = "abc123";
$hexedSharedSecret = "616263313233"; // the hexadecimal representation of the given shared secret "abc123" ( bin2hex('abc123') )
$lifeTime = 5;
  
function generateToken($webcastId, $hexedSharedSecret, $lifeTime)
{
  $expiryTime = time() + ($lifeTime*60);
 
  $hashPattern = [
    'webcast-id' => '%s',
    'exp-time' => '%s',
  ];
 
  $data = sprintf(json_encode($hashPattern), $webcastId, $expiryTime);
  $hash = hash_hmac ( "sha256", $data , hex2bin($hexedSharedSecret) );
  $token = sprintf ("%s~%s", $expiryTime , $hash);
  return $token;
}
   
$token = generateToken($webcastId, $hexedSharedSecret, $lifeTime);
echo $token;
?>

Testing your HMAC-Implementation

The code samples convert "lifeTime" of the token (in minutes) to "expiryTime" (the Unix epoch timestamp representing the exact second the token will expire). This means the code generated will be different every time you calculate it even if you input the same values (the lifeTime is converted to seconds and added to the current epoch time). You can check your output by testing with a specific expiryTime instead of calculating it.

HMAC Example

You can test your HMAC-implementation with the following parameters:

Parameter

webcast-id

212zpS6bjN77eixPUMUEjR

sharedSecret

abc123

hexedSharedSecret

616263313233 (the hexadecimal representation of the given shared secret "abc123")

expiryTime

1671037090

The message should look like:

{"webcast-id":"212zpS6bjN77eixPUMUEjR","exp-time":"1671037090"}

The following signature should be calculated with these parameters:

1671037090~09aeed76b483c0e4d34bdd1df6b4843dd436d8daf38f00cd13d6f62217d763e1

Usage of the Token

The token needs to be added to the URL of the LiveStream Pro event as a URL parameter.

https://lspro.movingimage.com/view/mgh0YQsb7hJvw7Lj922HO?hmac-token=1671037090~09aeed76b483c0e4d34bdd1df6b4843dd436d8daf38f00cd13d6f62217d763e1


Was this article helpful?

What's Next