Docs
MK.IO
how-to
DRM Content Protection
Multi-DRM Encryption

Multi-DRM Encryption

Multi-DRM encryption protects your streams with industry-standard DRM systems so that content plays securely across all major browsers and devices. MK.IO supports two multi-DRM configurations: full multi-DRM (Widevine + PlayReady + FairPlay) and CENC-only (Widevine + PlayReady).

Prerequisites

  • A running streaming endpoint.
  • An asset verified to play without encryption using Predefined_ClearStreamingOnly.
  • For FairPlay: an Apple FairPlay Streaming certificate, password, and application secret key.

Choose your configuration

ConfigurationStreaming policyRequired schemesUse when
Full multi-DRMPredefined_MultiDrmStreamingWidevine + PlayReady + FairPlayYou need to support all platforms, including Safari and Apple devices.
CENC multi-DRMPredefined_MultiDrmCencStreamingWidevine + PlayReadyYou do not need FairPlay support. Covers Chrome, Edge, Android, and most smart TVs.

The streaming policy enforces which DRM schemes must be present in the content key policy. A Predefined_MultiDrmStreaming locator fails if the policy does not include all three schemes. A Predefined_MultiDrmCencStreaming locator fails if it does not include both Widevine and PlayReady.

Full multi-DRM with JWT tokens

This example creates a content key policy with Widevine, PlayReady, and FairPlay, all protected by JWT token authentication.

Create the content key policy

  1. Navigate to Content Key Policies and select Create Content Key Policy.
  2. Enter a name (for example, multidrm-jwt) and optional description.
  3. Select Add in the Digital Rights Management section.

Add Widevine

  1. Select Add Widevine.
  2. Enter a policy option name.
  3. Under Use token restriction, select Yes.
  4. Configure the token fields:
    • Token type: JWT
    • Issuer: your chosen issuer string.
    • Audience: your chosen audience string.
    • Primary verification key: your Base64-encoded key.
  5. Leave Widevine template as {} unless you need a custom template.
  6. Select Add.

Add PlayReady

  1. Select Add PlayReady.
  2. Enter a policy option name.
  3. Under Use token restriction, select Yes.
  4. Enter the same issuer, audience, and primary verification key as Widevine.
  5. Leave the PlayReady-specific options at their defaults unless you need custom settings.
  6. Select Add.

Add FairPlay

  1. Select Add FairPlay.
  2. Enter a policy option name.
  3. Under Use token restriction, select Yes.
  4. Enter the same issuer, audience, and primary verification key as the other schemes.
  5. Provide your Apple FairPlay certificate, password, and application secret key.
  6. Select Add.

Create the policy

Select Create. The policy now includes all three DRM schemes with JWT protection.

Generate a JWT token

Follow the JWT token authentication guide to generate a token using the issuer, audience, and primary verification key you configured.

Create a streaming locator

  1. Navigate to your asset and select Add streaming locator.
  2. Enter a name.
  3. Set Streaming policy to Predefined_MultiDrmStreaming.
  4. Set Content key policy to the multi-DRM policy you created.
  5. Select Add, then select the locator and select Apply.

MK.IO generates playback URLs and license acquisition URLs for each DRM system.

Test playback

See Test DRM playback for instructions on testing with MKPlayer.

CENC multi-DRM without tokens

This example creates a content key policy with Widevine and PlayReady only, with no token restriction. Use this for scenarios where token-based authentication is handled elsewhere or is not required.

Create the content key policy

  1. Navigate to Content Key Policies and select Create Content Key Policy.
  2. Enter a name (for example, multidrm-cenc-open) and optional description.
  3. Select Add in the Digital Rights Management section.

Add Widevine

  1. Select Add Widevine.
  2. Enter a policy option name.
  3. Under Use token restriction, select No.
  4. Leave Widevine template as {}.
  5. Select Add.

Add PlayReady

  1. Select Add PlayReady.
  2. Enter a policy option name.
  3. Under Use token restriction, select No.
  4. Leave PlayReady options at defaults.
  5. Select Add.

Create the policy and streaming locator

  1. Select Create to save the policy.
  2. Navigate to your asset and select Add streaming locator.
  3. Set Streaming policy to Predefined_MultiDrmCencStreaming.
  4. Set Content key policy to the CENC policy you created.
  5. Select Add, then select the locator and select Apply.

Test playback

  1. Navigate to the MKPlayer page.
  2. Select DASH as the protocol and Widevine as the DRM.
  3. Paste the DASH playback URL in Source URL.
  4. Paste the Widevine license acquisition URL in License URL.
  5. Select Play.
ClearKey EncryptionJWT Token Authentication