How client pass tokens to Azure Media Services Key delivery services

We constantly get questions around how a player could pass token to our key delivery services, which will get verified and the player obtains the key. We support Simple Web Token (SWT) and JSON Web Token (JWT) these two token formats. Token authentication could be applied to any type of key – regardless you are doing Common Encryption or AES envelope encryption in the system.

Here are four ways you could pass the token with your player, depends on the player and platform you are targeting:

1.Through the HTTP Authorization header.

Note that the “Bearer “ prefix is expected per the OAuth 2.0 specs.

There is a sample player with Token configuration hosted at Azure Media Player demo page. Please choose AES (JWT Token) or AES (SWT Token) to set video source. Token is passed via Authorization header.

2. Via adding a Url Query parameter with “token=tokenvalue”. 

Note that no “Bearer “ prefix is expected. Since token is sent through a URL, you will need to armor the token string. Here is a C# sample code on how to do it:

3. Through CustomData Field.

For PlayReady license acquisition only, through the CustomData field of the PlayReady License Acquisition Challenge. In this case, the token must be inside the xml document described below.

Please put your authentication token in the <Token> element.

4. Alternate the Playlist. 

If you need to configure Token Authentication for AES + HLS playback on iOS/Safari, there isn’t a way you could directly send in the token. Please see my blog on how to alternate the playlist to enable this scenario.

Here are some tutorials on MSDN which could walk you through end-to-end:

Using PlayReady Dynamic Encryption and License Delivery Services 

Using AES-128 Dynamic Encryption and Key Delivery Services

Please let me know if you have any questions. I could be reached at

Leave a Reply

Your email address will not be published. Please enter your name, email and a comment.