Signed URL is an added security feature, along with our Domain Restriction feature, to prevent your videos from being misused. While our Domain Restriction feature verifies the referrer information sent by the web browser, signed embed code is based upon verifying a signature appended to your embed code that is generated using a secret signing key. An expiration time can be set for your signed embed code, this way the embed code is valid for a limited time only and cannot be reused.

Where to use the signed embed code?

Used on sites that generate dynamic HTML content, programming expertise is required to generate the signed embed codes.

Try this:

Below is an example of an unsigned Private Media Channel embed code:

<iframe src='>

If you notice, the embed code stays the same. To sign the embed code, an addition of two new parameters is appended to the src attribute of the iframe.

The above code will then look like this:

<iframe src="" ... />

The signature parameter is dynamically generated by your application using your secret signing key, and the Private Media Channel will not serve the video unless the signature is valid and has not expired. 

Enabling Signed Embed Codes

To enable signed embed codes, click on My Site > General Settings > Embed Settings > Enable Signed URL. Switch on the 'Enable Signed URL' button. 

Generating Signed Embed Code URLs

The URL-signing protocol we use is very similar to the OAUTH1 signing protocol using a Base64-encoded hash generated using the HMAC-SHA256 algorithm.

First we create the base string, which will be used to generate the hash. The base string is composed of the following elements:

Request method : The request method will always be POST

Host name : The host name will be your channel URL. For example,

Request path : The request path is part of the URL after the host up to the first ? 

If the URL we are signing is gJ9XX98Z?autoplay=1, then the request path is /player/ gJ9XX98Z 

Sorted query parameters : First, to the list of parameters we add the expiration parameter. Choose a time, a few minutes or so in the future (the time on your system should be synced using NTP or a similar protocol, which makes your system think that it is the same time as the Private Media Channel's system). The time you choose should be in UTC. The value should be represented as an Epoch, an integer number of seconds. For example, the time of May 14 2016, 10:00:00 AM (UTC) would be represented as 1463220000. These values need to be encoded into a single string which will be used later on. 

The process to build the string is very specific:

1. Percent encode every key and value that will be signed.

2. Sort the list of parameters alphabetically by encoded key.

3. For each key/value pair: 

  •       Append the '&' character.
  •        Append the encoded key to the output string. 
  •        Append the '=' character to the output string. 
  •        Append the encoded value to the output string.

The following string is generated, by repeating these steps, using the same URL as above:


Now that we have all of our components, it needs to be combined into a single string in the following format:

Request method

Host name

Request path

Sorted query parameters

The string will then look like this, with our example URL from above:




Now that we have our string, it's time to sign it.

Calculating the signature

Now generate your API key to sign the string. Read here on how to generate your API key. Now the signature is calculated by passing the signature base string and signing key to the HMAC-SHA1 hashing algorithm. Algorithm details are explained here, but thankfully there are implementations of HMAC-SHA1 available for every popular language. For example, Ruby has the Open SSL library and PHP has the hash_hmac function.

For example, the output for the example string and signing key of 140e8b4a-0732-4e26-b618-6faf4cc4d536 is "\372\210@wo\356[\335\263\037\222h\230Fo\300\323,|\375". That value, when converted to base64, is the signature for this request: JOdDFg12Ntw1QfBqwYU4o2QKfkJ+taBiabsI/Tb9VFk=

Building the final request URL

First, take the original url: autoplay=1. Next add the expires parameter to the end like this: 

Finally URI encode the signature parameter and add that to the end of the URL like this: &signature=JOdDFg12Ntw1QfBqwYU4o2QKfkJ%2BtaBiabsI%2FTb9VFk%3D

Add this as the src attribute of your iframe like this:

<iframe src=""/>

And your video should appear!