Create a Content Key Policy
A content key policy defines which DRM encryption schemes protect your content and whether viewers must present a JWT token to obtain a decryption license. You create the policy once and reference it from any number of streaming locators.
Prerequisites
Section titled “Prerequisites”- A running streaming endpoint.
- An asset ready for playback. Verify it plays without encryption using a
Predefined_ClearStreamingOnlystreaming locator before adding DRM.
Choose your policy type
Section titled “Choose your policy type”Before creating a policy, decide which DRM schemes you need. This determines which predefined streaming policy you will pair it with later.
| If you need | Create a policy with | Pair with streaming policy |
|---|---|---|
| Basic encryption only | ClearKey | Predefined_ClearKey |
| Widevine and PlayReady (no FairPlay) | Widevine + PlayReady | Predefined_MultiDrmCencStreaming |
| Widevine, PlayReady, and FairPlay | Widevine + PlayReady + FairPlay | Predefined_MultiDrmStreaming |
A Predefined_MultiDrmStreaming policy requires all three DRM schemes (Widevine, PlayReady, and FairPlay) in the content key policy. A Predefined_MultiDrmCencStreaming policy requires both Widevine and PlayReady. If the content key policy does not include the required schemes, creating the streaming locator will fail.
Create a policy in the UI
Section titled “Create a policy in the UI”Open the Content Key Policies page
Section titled “Open the Content Key Policies page”Navigate to Content Key Policies from the left-hand menu and select Create Content Key Policy.
Name your policy
Section titled “Name your policy”Enter a name for the policy and an optional description. Use a descriptive name that indicates the encryption type and token setting, such as multidrm-jwt or clearkey-open.
Add encryption schemes
Section titled “Add encryption schemes”Add the DRM schemes your policy requires:
- For ClearKey: select Add next to the Clear Key section.
- For DRM: select Add in the Digital Rights Management section, then add each scheme individually (Add Widevine, Add PlayReady, Add FairPlay).
For each scheme, configure:
- Policy option name: a recognizable label for this scheme within the policy.
- Use token restriction: select Yes to require a JWT token for license acquisition, or No for open access.
- If token restriction is enabled, provide:
- Token type: select
JWT. - Issuer: a string identifying who issued the token (for example, your company name or service identifier).
- Audience: a string identifying the intended recipient of the token.
- Primary verification key: a Base64-encoded symmetric key used to validate the JWT signature.
- Token type: select
- For Widevine: optionally provide a Widevine template (defaults to
{}). - For PlayReady: optionally configure PlayReady-specific license settings.
- For FairPlay: provide the Apple FairPlay certificate, password, and application secret key.
Select Add to save each scheme.
Use the same issuer, audience, and primary verification key values across all DRM schemes in a single policy. These values must match the JWT token you generate for playback.
Create the policy
Section titled “Create the policy”Select Create at the bottom of the page. The policy appears in the Content Key Policies list and is ready to use in a streaming locator.
What to do next
Section titled “What to do next”- Set up ClearKey encryption for basic content protection.
- Set up Multi-DRM encryption for Widevine, PlayReady, and FairPlay.
- Generate a JWT token if your policy uses token restriction.