This tutorial guides you on how to create JWT token and sign with RSA private key. JWT (JSON Web Token) is an encoded representation of a JSON object. JWTs are used in authentication/ authorization mechanisms. Create JWT Token and Sign with RSA Private Key. As mentioned JWT’s are encoded representation of a JSON object. If you are going to use multiple signing keys, it is common practice to create a random ID which identifies the key, and store that ID with the key in your database. When you create JWTs, set the kid field of the header to be this ID. Then when verifying JWTs, this kid field will tell you which signing key should be used for verification.
Introduction
To add an extra level of protection when accessing your video library, or to apply user-level restrictions for your content, you can pass a JSON Web Token (JWT) with your call to the Brightcove Playback API. To create the token, follow these steps:
Generate public-private key pair
The publisher will generate a public-private key pair and provide the public key to Brightcove. The private key is used by the publisher to sign tokens, and is not shared with Brightcove.
There are many ways to generate the public-private key pair. Here are some examples:
Example bash script:
Note that the script below uses the jq package for parsing JSON. If you do not have jq installed see the installation instructions.Example script to generate the key pair:
Run the script:
Example using the Go programming language to generate the key pair:
If you are new to GoGenerate Jwt Token With Private Key Java
, see the The Go Programming Language homepage.Example using node.js to generate the key pair:
This script example requires node version 11 or later.Register public key
You will use the Key API to register your public key with Brightcove.
Generate Jwt Token With Keypad
Key API
The Key API is used to manage your public keys with Brightcove.
Base URL
The base URL for the API is:
Account path
In all cases, requests will be made for a specific Video Cloud Account. So, you will always add the term accounts followed by your account id to the base URL:
Authorization
An access token for requests is required and must be present in the Authorization header::
The access token is a temporary OAuth2 access token that must be obtained from the Brightcove OAuth service. For details on how to obtain client credentials and use them to retrieve access tokens, see the Brightcove OAuth Overview.
Permissions
Requests to the Key API must be made from client credentials with the following permissions:
video-cloud/playback-auth/key/readvideo-cloud/playback-auth/key/write
Manage keys
The Key API supports the following requests:
Notes:
- It is not possible to edit an existing key, but you can delete and create a new one.
- A maximum of 3 keys may be registered at a time and keys may be deleted, to support key rotation. In practice it is best to have only 1 key.
Register a new key:
Put the value of your public key in the API request body. You can find the key in the public_key.txt file.
Request
Using Curl
Response
List keys:
Get a list of public keys in your account.
Get one key:
Get the details for a public key in your account.
Delete one key:
Delete a public key in your account.
Create a JSON Web Token
Publishers create a JSON Web Token (JWT). The token is signed with the RSA algorithm using the SHA-256 hash algorithm (identified in the JWT spec as 'RS256') No other JWT algorithms will be supported.
A subset of the standard JSON Web Token claims will be used, along with some private claims defined by Brightcove. You will create a JSON Web Token signed with your private key.
Claims for Static URL Delivery
The following claims can be used with Brightcove's Static URL Delivery.
Notice that none of the claims are required for Static URL Delivery.| Field | Type | Required | Description |
|---|---|---|---|
accid | String | The account id that owns the content being played | |
drules | String[] | List of delivery rule action IDs to apply, see Implementing Delivery Rules for details. If the config_id query parameter is also set it will be ignored, as this claim overrides it. | |
exp | Integer | Time this token will no longer be valid, in seconds since the Epoch. Must be no more than 30 days from iat | |
iat | Integer | Time this token was issued, in seconds since the Epoch | |
conid | String | If present, this token will only authorize license fetching for a specific Video Cloud video ID. Must be a valid video ID. Note that reference ID is not supported. | |
pro | String | Specifies a protection type in the case where multiple are available for a single video. Values:
| |
vod | Object | Contains specific configuration options for Video-On-Demand. | |
vod.ssai | String | Your Server-Side Ad Insertion (SSAI) configuration id. This claim is required to retrieve either an HLS or a DASH VMAP. |
Here is an example of the JSON Web Token (JWT) claims that you might use:
Generate a token
Libraries are commonly available to generate JWT tokens. For details, see the JSON Web Tokens site.
Example bash script:
Example script to generate the JWT token:
Run the script:
Example using Go
Here is an example of a reference Go implementation (as a cli tool) for generating tokens without the use of any 3rd party library:
If you are new to
Go, see the The Go Programming Language homepage.Results
Here is an example of a decoded token using https://JWT.io specifying the full set of claims:
HEADER:
PAYLOAD:
Test playback
Although not required, you may want to test video playback before configuring a player.
Request playback: