Restrict Vidyard videos to your secure site using JSON Web Tokens
With JSON Web Tokens, you can secure individual videos to a secure site so that they can only be viewed by authorized audiences. Any videos you secure using this method will play only on the secure pages that you set up. If a viewer attempts to view or embed the video on any other site, the video will not load.
How does it work?
With this method, the web page where your secured Vidyard video is embedded will receive a unique JWT informing it that the viewer who loaded the page is authorized to view that video content.
The Vidyard video player on the page will then check for that token. If the token is located, the player will pass it to the Vidyard platform to validate. If validated, Vidyard will allow the video to play. If it does not find a token, playback will be restricted.
This is a great solution for any secure communication platforms or intranet-type sites that require authentication to access. Securing videos in this way on your site ensures that the video content will not be shareable outside of the authenticated platform.
Step 1: Generate the JWT
Create a backend application to listen for a call from your webpage requesting a JWT. This application must:
- Receive the request
- Generate a JWT based on the specifications listed in Step 2
- Post the generated token back to your web page
Step 2: Add a script to your webpage to request a JWT
Add a script to your webpage that calls a backend application requesting a JSON Web Token with the following specifications:
//header
{ "alg": "HS256", "typ": "JWT" }
. . .
//payload
{ "iss": "api_token", "exp": "1515164623", "role_id": "67890", "player_uuid": "X34Z4h6QcGHfJJ45VMJ6R5" }
- In the payload, do not change "api_token"
- Replace "1515164623" with an expiry value in the form of POSIX time code (UNIX time). This value determines at what point in time Vidyard will no longer accept the JWT as valid.
- While not required as part of the JWT payload, an expiry value is recommended as a security best practice.
- Replace "67890" with your Role ID.
- Please contact the Vidyard Support team or your CSM to get this information, then continue to point 4
- Replace X34Z4h6QcGHfJJ45VMJ6R5 with the UUID of the video you want to load on this page.
- If you need help, check out our article on how to find the UUID of a video
- In the signature, replace "Vidyard API token" with the API token for your group
- To find the API token: first ensure you are in the correct folder. If necessary, select Change Folder
- Once in the correct folder, select Admin > Integrations
- Insert the API token associated to the Role ID provided above.
//signature
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), Vidyard API token )
For example: if the ID provided is for the role "user", insert the User API Token.
Important: Ensure that the API token relates to the folder that the video belongs to. It cannot be from the parent folder if the video is in a subfolder.
Here is what a script to make a JWT request and build a Vidyard video might look like:
<head>
<script type="text/javascript" async src="https://play.vidyard.com/embed/v4.js"></script>
</head>
<body>
<script type="text/javascript">
// call web app to create the JWT
function generateJWT (uuid) {
// your code goes here
return jwt;
}
let playerUUID = 'PLAYERUUIDHERE';
let playerJWT = generateJWT(playerUUID);
window['onVidyardAPI'] = (vidyardEmbed) => {
vidyardEmbed.api.renderPlayer({
uuid: playerUUID,
container: document.querySelector('.player'),
type: 'inline',
jwt: playerJWT
});
};
</script>
<div class='player'>
</div>
</body>
Step 3: Enable JWT security on any videos you wish to embed
- Within the access settings for a Vidyard video, choose Only viewers with a secure platform to enable JWT security for that video.
- When a JWT secured Vidyard video player is loaded on your secured page, the player will search for a JWT token.
- If the player does not find a JWT or the token is invalid, the player will not load your content.
- If the player finds a JWT, it will send the token to Vidyard for validation. If validated, the Vidyard platform will allow the video to play.