Generate and Sign Playback Tokens - Amazon Interactive Video Service

Generate and Sign Playback Tokens

For details on working with JWTs and the supported libraries for signing tokens, visit

Token Schema

All JWTs have three fields: header, payload, and signature.

  • The header specifies:

    • alg is the signing algorithm. This is ES384, an ECDSA signature algorithm that uses the SHA-384 hash algorithm.

    • typ is the token type, JWT.

    { "alg": "ES384", "typ": "JWT" }
  • The payload contains data specific to Amazon IVS:

    • channel-arn is a reference for the video-playback request.

    • access-control-allow-origin is an optional field that can be used to restrict playback to specified domains; i.e., to make a stream viewable from only a specified website. For example, you may want to prevent people from embedding the player on other websites. By default, playback is allowed on all domains.

    • exp is a Unix timestamp for when the token expires. This does not indicate the length of time that the stream can be viewed. The token is validated when the viewer initializes playback, not throughout the stream. Enter this value as an integer type value.

    { "aws:channel-arn": "<channel_arn>", "aws:access-control-allow-origin": "<your-website>", "exp": <unix timestamp> }
  • To create the signature, use the private key with the algorithm specified in the header (ES384) to sign the encoded header and encoded payload.

    ECDSASHA384( base64UrlEncode(header) + "." + base64UrlEncode(payload), <private-key> )


  1. Generate the token’s signature with the ES384 signing algorithm and a private key that is associated with one of your playback-key resources (see the ECDSASHA384 example above).

  2. Assemble the token.

    base64UrlEncode(header) + "." + base64UrlEncode(payload) + "." + base64UrlEncode(signature)
  3. Append the signed token to the playback URL as a query parameter. api/video/v1/ channel.fbc789c1-2c56-4ce6-a30a-d99275dc4481.m3u8?token=<token>