Video Protection

Protect your videos using expiry URLs, geo-blocking, and whitelisted websites

Gumlet provides multiple options for securing your video playback. Your video playback URLs are public by default, meaning they can be played and published anywhere. If this is not what you want, you can use one/multiple playback URL security options provided by Gumlet.

Gumlet's video protection works well with collections. All the videos inside collections will follow the security protocols configured at the collection level. The security settings are available in your collection settings.

Video Security

Secure video playback on the collection level.

Available Video Playback Security Options

1. Signed URL

When enabled, this option will provide a 16-byte hexadecimal secret key to generate a secure token and expiration timestamp (Expiration time should be at least the duration of the Video Asset or the expected period). Video playback URLs under the video collection will only be accessible with correctly generated tokens by the secret key and under the expiration time. When the signed URL expires, the URL will no longer be playable, even if playback has already started. The code snippets are to convert the ordinary Gumlet playback URL to a signed URL.

var crypto = require('crypto');

// Gumlet Video Playback URL
var playBackUrl = "";

// Secret key provided by Gumlet
var secret = "GNCP2ePfmdV3bHKqbiBAlXQXHKmI9+DZfLVptsvgUU4=";

secret = Buffer.from(secret, 'base64');

// expiration time in seconds
var tokenlifetime = 3600;

var expiration = Math.round( + tokenlifetime);

var stringForTokenGeneration = playBackUrl.slice(23) + String(expiration);

var signature = crypto.createHmac('sha1', secret).update(stringForTokenGeneration).digest('hex');

console.log(`Token: ${signature}`);

console.log(`Signed Playback URL: ${playBackUrl}?token=${signature}&expires=${expiration}`);
import hmac
from hashlib import sha1
from base64 import b64decode
from datetime import datetime, timedelta

# Gumlet Video Playback URL
playback_url = ""

# Secret key provided by Gumlet
secret = b"GNCP2ePfmdV3bHKqbiBAlXQXHKmI9+DZfLVptsvgUU4="
secret = b64decode(secret)

# expiration time in seconds
token_life_time = 3600;
expiration = + timedelta(seconds=token_life_time)
expiration = int(expiration.timestamp())

string_for_token_generation = playback_url[23:] + str(expiration)
string_for_token_generation = str.encode(string_for_token_generation)

signature = hmac.HMAC(secret, string_for_token_generation, sha1).digest().hex()

print("Token: {}".format(signature))

print("Signed Playback URL: {}?token={}&expires={}".format(playback_url, signature, expiration))
require 'base64'
require 'openssl'

# Gumlet Video Playback URL
playback_url = ""

# Secret key provided by Gumlet
secret = "GNCP2ePfmdV3bHKqbiBAlXQXHKmI9+DZfLVptsvgUU4="
secret = Base64.decode64(secret)

# expiration time in seconds
token_life_time = 3600
expiration = + token_life_time

string_for_token_generation = playback_url.slice(23, playback_url.length) + expiration.to_s

signature = OpenSSL::HMAC.hexdigest('sha1', secret, string_for_token_generation)

puts "Token: " + signature

puts "Signed Playback URL: " + playback_url + "?token=" + signature + "&expires=" + expiration

2. Whitelist Refererres

The Referer HTTP request header contains the page's absolute or partial address that makes the request. The Referer header allows a server to identify a page from which people visit it. With allowed referer settings, you can ensure that your video is only accessible from a specific server/host. You can specify multiple referrers using which you want your video to be accessible.

3. Video Privacy

Mark your videos public, or private, or add a password to them.


The public status represents that videos are publicly playable and can be indexed by search engines.


The private videos are unlisted. These are available only when the link is shared.


Add a password to your videos to make them bulletproof. The embedded videos also require a password to play.