Video Protection

Reference for securing video playback.

Gumlet provides multiple options for securing your video playback. By default, your video playback URLs are public which means they can be played and published anywhere. If this is not what you want, you can use one/multiple playback URL security options provided by Gumlet.

Gumlet provides this set of options per video collection so every video under a particular video collection will be secured by the options. You can find these settings for each video collection edit under the video protection tab in the Gumlet video dashboard.


Secure video playback on collection level.

Available Video Playback Security Options

1. Signed URL

When enabled, this option will provide a 16-bytes hexadecimal secret key to generate a secure token and expiration timestamp (Expiration time should be at least the duration of the Video Asset or the expected duration). Video playback URLs under the video collection will only be accessible with correctly generated tokens by the secret key and under the expiration time. When the signed URL expires, the URL will no longer be playable, even if playback has already started. Following are the code snippets to convert the ordinary Gumlet playback URL to signed URL.

var crypto = require('crypto');

// Gumlet Video Playback URL
var playBackUrl = "";

// Secret key provided by Gumlet
var secret = "GNCP2ePfmdV3bHKqbiBAlXQXHKmI9+DZfLVptsvgUU4=";

secret = Buffer.from(secret, 'base64');

// expiration time in seconds
var tokenlifetime = 3600;

var expiration = Math.round( + tokenlifetime);

var stringForTokenGeneration = playBackUrl.slice(23) + String(expiration);

var signature = crypto.createHmac('sha1', secret).update(stringForTokenGeneration).digest('hex');

console.log(`Token: ${signature}`);

console.log(`Signed Playback URL: ${playBackUrl}?token=${signature}&expires=${expiration}`);
import hmac
from hashlib import sha1
from base64 import b64encode
from datetime import datetime, timedelta

# Gumlet Video Playback URL
playback_url = ""

# Secret key provided by Gumlet
secret = b"GNCP2ePfmdV3bHKqbiBAlXQXHKmI9+DZfLVptsvgUU4="
secret = b64encode(secret)

# expiration time in seconds
token_life_time = 3600;
expiration = + timedelta(seconds=token_life_time)
expiration = int(expiration.timestamp())

string_for_token_generation = playback_url[23:] + str(expiration)
string_for_token_generation = str.encode(string_for_token_generation)

signature = hmac.HMAC(secret, b64encode(string_for_token_generation), sha1).digest().hex()

print("Token: {}".format(signature))

print("Signed Playback URL: {}?token={}&expires={}".format(playback_url, signature, expiration))
require 'base64'
require 'openssl'

# Gumlet Video Playback URL
playback_url = ""

# Secret key provided by Gumlet
secret = "GNCP2ePfmdV3bHKqbiBAlXQXHKmI9+DZfLVptsvgUU4="
secret = Base64.decode64(secret)

# expiration time in seconds
token_life_time = 3600
expiration = + token_life_time

string_for_token_generation = playback_url.slice(23, playback_url.length) + expiration.to_s

signature = OpenSSL::HMAC.hexdigest('sha1', secret, string_for_token_generation)

puts "Token: " + signature

puts "Signed Playback URL: " + playback_url + "?token=" + signature + "&expires=" + expiration

2. Geo-location Block

Using the Geo-location block option, you can block video playback accessibility from certain countries. You select countries (from the list of country names available in ISO 3166-1 alpha-2) that you want to block in video protection settings and video playback will be blocked from those countries.

3. Allowed Referer

The Referer HTTP request header contains an absolute or partial address of the page that makes the request. The Referer header allows a server to identify a page where people are visiting it from. Using allowed referer options, you can ensure that your video is only accessible from a certain server/host. You can specify multiple referrers using which you want your video to be accessible.