Securing Content with Signed Keys

Signed Keys are an alternative to  Domain Control for preventing your videos from being embedded where you don't want them to be. Whereas Domain Control security is based upon verifying the referrer information sent by the embedding user agent, user signed security is based upon verifying a signature appended to your embed code that is generated using a secret signing key shared by you and vzaar.

Note that Signed Keys and Domain Control are mutually exclusive - you can use one or the other but not both.

Typically, Signed Keys are intended for use in applications that are dynamically generating HTML content. Signed Keys allow you to set an expiry time for your embed code, so that a particular embed code is only valid for a limited time into the future. When your application generates an HTML document with an embedded video, it also generates a signed embed code, specific to that page, which is only valid for a short time into the future. If your pages are static, you can't use Signed Keys as the key has to be generated in real time.


Normally, when you embed a vzaar video on your site, you simply use the vzaar generated embed code to do so. It looks something like this:
<iframe src="" ... />
When using Signed Keys, you continue to use the same embed code, however an additional parameter is appended to the src attribute in the iframe. It looks something like this:
<iframe src="" ... /><br>
The uss_token parameter is dynamically generated by your application using your secret signing key, and vzaar will not serve the video unless the token is valid and has not expired. User signed security also applies to playlist embeds.

Enabling Signed Keys

Signed Keys can be enabled in the  security settings section of your settings page. Note that you will also have to generate a signing key on the same page before vzaar will apply user signed security checks to your videos:

Generating signed embed code URLs

There are three ways you can generate the uss_token parameter to append to your embed code. The first works for individual videos only (not playlists), and is specific to the video being embedded. That is, a token generated for a particular video cannot be used for other videos you own.
The second method generates a token that will be valid (until it expires) for any of the videos you own. This can be useful if you are creating a page that embeds a number of different videos and you do not want to generate video specific tokens for each embed. It is also the required method if you are embedding a playlist.
The third is similar to the first, except it also requires you to specify the format (video/download/source) so that you can allow only playback but not downloads with that token.

Video-Specific Tokens

To generate a video specific USS token, you first pick an expiry time for the token. Typically, you would pick a time a few minutes or so in the future (Note that ideally your system time should be synced using NTP or a similar protocol so your system thinks it is the same time that vzaar's system does). The time you pick should be in UTC, and converted to a string of the format:
So, for example, the 10th of July, 2012, 07:18:22 PM (UTC) would be expressed as:

The uss_token parameter is then generated as the following string:


where `<expiry_timestamp>` is the timestamp string generated above, `<video_id>` is the id of the video you are embedding, and `<signing_key>` is your signing key found on the vzaar settings page. MD5() is a function that computes the MD5 hash of a given string.

User-specific Tokens

This token type does not require the video id, and will be valid for any of your videos as well as your playlists. The method for constructing the token is similar to video specific tokens. The final token is computed as:
The differences are the token is now prefixed with '3.', and video id is no longer included in the hashed string.

Format-specific Tokens

Similar to the video-specific token, except it requires you to specify one of video/download/source, depending on what you want to allow:

Language Examples

Here are a few examples of generating user signed security tokens in some common server-side languages:





We do not have full example C# code at this time as we are not .NET engineers. However, the core issue is creating an MD5 hash of the string. There's an article here which explains exactly how to do that:  How do I calculate a MD5 hash from a string?