Roku Developer Program

Join our online forum to talk to Roku developers and fellow channel creators. Ask questions, share tips with the community, and find helpful resources.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Token Auth?

We are creating/developing a Channel for a business and we know it's possible to add token to secure the URL of the video , but we are half way there.

We've had done some research and testing, we've encrypted the xml, we've done wireless snooping to try to understand how url's can be protected.
We've learned adding a token is a safe way to do it.... but we have not yet accomplished it.

Another is to have a unique key stored on the device that all requests are signed with. The signature is usually the URL parameters, sorted alphabetically, and signed with the key as an MD5 hash or using SHA256 or SHA128. Each url expires within a few moments after it is used, and a new signature is generated **on the roku** from the locally stored key for each URL request. Again, your server rejects or ignores any non-signed URLs. The signature has to match the content of the URL parameters. You could generate the signing key on your server and return it via SSL when the user enters their username and password, or when the user Links their device to your website.

Most cases though, the key (usually called the developer key) is used for all devices, and would be hard-coded into the application.

Set the expiration longer in the future. Also, generate the URL and token at the moment the user clicks Play, make sure it doesn't expire during the length of the video playback, with some room to spare for taking breaks from watching.

- Joel

Our client videos url are still accessible through wireshark/wireless packet reading, and we need to protect them.

We have developed a web application to manage the channel and its users, but this token on the url is something we need the guidance.
0 Kudos
Roku Guru

Re: How to Token Auth?

I would think your solution would largely depend on how you're serving your video content. For example, using AWS, you could secure your urls as described in Serving Private Content through CloudFront in the section on Using Signed Urls. I assume you're already transmitting your videos using encryption (TLS), which should protect the content of the videos.
0 Kudos