Generate and Sign Playback Tokens - Amazon Interactive Video Service

Generate and Sign Playback Tokens

For details on working with JWTs and the supported libraries for signing tokens, visit On the interface, you must enter your private key to sign tokens. The public key is needed only if you want to verify tokens.

Token Schema

All JWTs have three fields: header, payload, and signature.

  • The header specifies:

    • alg is the signing algorithm. This is ES384, an ECDSA signature algorithm that uses the SHA-384 hash algorithm.

    • typ is the token type, JWT.

    { "alg": "ES384", "typ": "JWT" }
  • The payload contains data specific to Amazon IVS:

    • channel-arn is a reference for the video-playback request.

    • access-control-allow-origin is an optional field that can be used to restrict playback to a specified origin; i.e., to make a stream viewable from only a specified website. For example, you may want to prevent people from embedding the player on other websites. By default, playback is allowed on all origins. (Note that this restricts only the browser client; it does not restrict playback from a non-browser client.) This field may contain multiple origins, separated by commas. Wildcard domains are allowed: each origin may begin its hostname with * (example: https://*

    • strict-origin-enforcement is an optional field that can be used to strengthen the origin restriction specified in the access-control-allow-origin field. By default, the access-control-allow-origin restriction applies only to the multivariant playlist. If strict-origin-enforcement is enabled, the server will enforce a requirement that the requesting origin matches the token for all playback requests (including multivariant playlist, variant playlist, and segments). This means that all clients (including non-browser clients) will have to provide a valid origin-request header with each request. Use the setOrigin method to set the header in the IVS iOS and Android player SDKs. It is set automatically in web browsers except iOS Safari. For iOS Safari, you need to add crossorigin="anonymous" to the video element, to ensure that the origin request header is sent. Example: <video crossorigin="anonymous"></video>.

    • single-use-uuid is an optional field which contains a valid universally unique identifier (UUID) that you generate as part of authoring the token. If you add this field and a UUID value, the associated token that you generate is invalidated once it is used to fetch a multivariant playlist and watch a stream. Single-use auth tokens make it more difficult for malicious users to share a stream on your private channels with other viewers. Note that when using the single-use-uuid claim, the maximum value for the exp claim is 10 minutes in the future.

    • exp is a Unix UTC timestamp for when the token expires. This does not indicate the length of time that the stream can be viewed. The token is validated when the viewer initializes playback, not throughout the stream. Enter this value as an integer type value.

    { "aws:channel-arn": "<channel_arn>", "aws:access-control-allow-origin": "<your-origin>", "aws:strict-origin-enforcement": true, "aws:single-use-uuid": "<UUID>", "exp": <unix timestamp> }
  • To create the signature, use the private key with the algorithm specified in the header (ES384) to sign the encoded header and encoded payload.

    ECDSASHA384( base64UrlEncode(header) + "." + base64UrlEncode(payload), <private-key> )


  1. Generate the token’s signature with the ES384 signing algorithm and a private key that is associated with one of your playback-key resources (see the ECDSASHA384 example above).

  2. Assemble the token.

    base64UrlEncode(header) + "." + base64UrlEncode(payload) + "." + base64UrlEncode(signature)
  3. Append the signed token to the playback URL as a query parameter. api/video/v1/ channel.fbc789c1-2c56-4ce6-a30a-d99275dc4481.m3u8?token=<token>