Learn how to leverage Digital Rights Management (DRM) to protect your videos
Mux Video's DRM feature is currently in beta, and is not covered by Mux's support SLAs. You should take this into account when considering using this feature for production traffic. You can request access to DRM from the betas page.
Check out our blog on "What is DRM" to learn more about the concepts of DRM.
DRM (Digital Rights Management) provides an extra layer of content security for video content streamed from Mux.
Leveraging DRM blocks or limits the impact of:
Mux uses the industry standard protocols for delivering DRM protected video content, specifically Google Widevine, Microsoft PlayReady, and Apple FairPlay.
DRM requires the use of Signed URLs, and when combined with Domain and User-Agent restrictions, can provide a very strong content protection story, up to and including security levels that satisfy the requirements of Hollywood studios.
Before you can start using Mux DRM you must complete the onboarding process. The following is a quick overview of the entire process, and you can find additional detail later in this guide.
Once these steps are complete you will have your DRM configuration ID and be able to test DRM playback on non-Apple devices. Once you've sent us your FairPlay certificates you can test on Apple devices.
DRM playback will work out of the box on every supported platform except for Apple devices. Apple requires you to request your own FairPlay Streaming Deployment package (FPS, often simply referred to as a "FairPlay Certificate"). An FPS can only be requested if you meet the following requirements.
Once you've met these requirements, you will need to fill out a form. The initial questions ask about your DRM infrastructure, which is Mux. Here's some guidance on how to answer those questions.
| Does your organization have a working FPS development server where you'll use the FPS certificate? | Select "Yes" You will use Mux's verified FPS implementation. |
| Do you have a third-party streaming distribution partner? | Select "Yes". Mux is that third-party partner. |
| Streaming Distribution (DRM License Server) Partner Name | Enter "Mux, Inc.". |
| Streaming Distribution (DRM License Server) Partner Website | Enter "https://mux.com". |
| Your Company | Describe your company and the services they provide. |
| Your Content | Describe the type of content you will be protecting with FairPlay and why that content needs DRM. |
| Do you own the content you want to stream? | If you hold full copyright ownership of your content, select "Yes". Otherwise select "No" and answer the following two additional questions that appear: |
| Do you have a content licensing agreement with the owner of the content? | If you license third-party content, select "Yes". |
| Your Content Provider | If you license third-party content, include the name of that provider and a description of the rights you have to use their content. |
| Is this your first request for FPS credentials? | If this is your first time submitting this form or requesting a FairPlay certificate, select "Yes". |
| Do you assert that the account holder of this developer account owns, or has a license to use, the content that you will be streaming? | Select the most appropriate answer for your situation. |
Once you've submitted the request, approval may take several days. Once approved, Apple will provide documentation for generating the final certificate. This includes generating a private key via your terminal and filling out a form. Make sure when filling out the form you request a v4 FairPlay package.
Once you've created your v4 FairPlay deployment package, contact us and we'll walk you through securely sending us the files.
Before you start using DRM, you need to be on a paid account and then create a new environment. We cannot currently enable DRM for existing environments. Once you have created the environment, contact us with the name and dashboard URL of your environment.
"DRM test environment"
https://dashboard.mux.com/organizations/${ORG_ID}/environments/${ENV_ID}/video/assetsOnce you're onboarded, we'll reply with a DRM configuration ID for this environment, you'll need this when you add a DRM playback ID to an asset. It'll look something like this: (you can't use this one, it's an example only)
2OkGwcOH3IRf1XLjB02vLv015qQaXal500sE5FGqHCVhe9gzYiV02IDTK02r00gorrmkA4jxYK27xzqLAYou can use the DRM Configurations APIAPI to list the DRM Configurations available to your account.
Mux Video supports applying DRM to both live streams and assets.
When using the Create Asset APIAPI, you can add DRM with the advanced_playback_policies and your DRM configuration ID:
// POST /video/v1/assets
{
"input": "https://storage.googleapis.com/muxdemofiles/mux.mp4",
"advanced_playback_policies": [
{
"policy": "drm",
"drm_configuration_id": "your-drm-configuration-id"
}
],
"video_quality": "plus"
}Notes:
plus video quality level.playback_policy field, and advanced_playback_policies field in the same request.signed advanced playback policy in addition to the drm policy.Just like creating a DRM protected asset, DRM protected live streams require configuration ID must be set in the live stream's advanced_playback_policies.
In the example below, we also set the new_asset_settings to also use DRM, so any DVR assets and on-demand assets also have DRM applied.
// POST /video/v1/live-streams
{
"advanced_playback_policies": [
{
"policy": "drm",
"drm_configuration_id": "your-drm-configuration-id"
}
],
"new_asset_settings": {
"advanced_playback_policies": [
{
"policy": "drm",
"drm_configuration_id": "your-drm-configuration-id"
}
]
}
}Mux supports three types of DRM: Widevine, FairPlay, and PlayReady. These three DRM systems cover the vast majority of devices in use today, including desktop browsers, mobile browsers, and living room devices (OTT).
Before you start to build your DRM integration, make sure Mux's DRM supports your target platforms. Mux's DRM is verified to work on all of the following platforms, but likely works on additional platforms. If you would like us to verify an additional platform, please contact us.
The following desktop browsers support Mux DRM via the Mux Web Player, or any of the players listed in our player documentation.
The following mobile browsers support Mux DRM via the Mux Web Player, or any of the players listed in our player documentation.
The following living room devices support Mux DRM, and link to the relevant documentation.
To successfully play back content protected by Mux DRM you will need your asset's playback ID and two secure tokens; a playback token and a DRM license token. These tokens are both signed using the JWT requirements laid out in our secure video playback guide.
If you're using our node library to sign your license URLs we offer a helper function:
const mux = new Mux({
tokenId: "your-access-token-id",
tokenSecret: "your-access-token-secret",
jwtSigningKey: "your-environment-signing-public-key",
jwtPrivateKey: "your-environment-signing-private-key"
});
const playbackToken = await mux.jwt.signPlaybackId("your-playback-id", {expiration: '7d'});
const drmLicenseToken = await mux.jwt.signDrmLicense("your-playback-id", {expiration: '7d'});Once you have created your signing tokens, you can use them directly in a Mux player. If you are using a non-Mux player you use these tokens to build your playback and license URLs.
Now that you have the necessary tokens, we can hook them into a Mux Player.
To play back DRM protected content, you should instantiate the player with the new drm-token parameter set to the DRM license token that you generated previously. In Mux Player React, you'll use the tokens prop to set the drm token.
Support for DRM in Mux Player was added in version 2.8.0.
<mux-player
playback-id="your-playback-id"
playback-token="your-playback-token"
drm-token="your-drm-token"
thumbnail-token="your-thumbnail-token"
storyboard-token="your-storyboard-token"
></mux-player>You can see a demo of this working in codesandbox here.
With your new tokens all wired up correctly, you should be able to play back your freshly DRM protected content!
Here's a demo page with some pre-prepared DRM protected content you can also test a device against.
Full documentation for using DRM with Mux Player for web can be found here.
The DRM license token can be configured on PlaybackOptions using the following API:
Support for DRM in Mux Player for iOS was added in version 1.1.0.
let playbackOptions = PlaybackOptions(
drmToken: "your-drm-license-token",
playbackToken: "your-playback-token",
)
let player = AVPlayer(
playbackID: "your-playback-id",
playbackOptions: playbackOptions
)Full documentation for using DRM Mux Player for iOS can be found here.
The DRM license token can be configured when instantiating a MediaItem using the MediaItems factory class as follows:
Support for DRM in Mux Player for Android was added in version 1.1.0.
// You don't need to add your own DrmSessionManager, we take care of this
val player = // Whatever you were already doing
val mediaItem = MediaItems.mediaItemFromPlaybackId(
playbackId = "your-playback-id",
playbackToken = "your-playback-token",
drmToken = "your-drm-license-token"
)
// Normal media3 boilerplate
player.setMediaItem(mediaItem)
player.prepare()Full documentation for using DRM Mux Player for Android can be found here.
If you can't use one of the Mux players, you still have options. Mux's DRM is compatible with a wide range of third party players. Because these players don't know exactly how Mux's DRM works, you'll need to build the correct playback and license URLs, then add them to the player.
The following examples demonstrate the license URL structure for each of the supported DRM providers.
https://license.mux.com/license/widevine/{playback-id}?token={drm-license-token}Before you can use FairPlay DRM, you must request the proper certificate from Apple. Once FairPlay is enabled on your account, you will use one license url and one certificate URL.
License URL
https://license.mux.com/license/fairplay/{playback-id}?token={drm-license-token}Certificate URL
https://license.mux.com/appcert/fairplay/{playback-id}?token={drm-license-token}https://license.mux.com/license/playready/{playback-id}?token={drm-license-token}The following third-party players have been tested with Mux DRM. If you are using a player not listed here, check out our notes on other players.
In order to play back DRM protected content in Roku, add your DRM Configuration to your content node. This includes the following:
requires_widevine_drm=1
requires_widevine_version=1.0contentNode, ensure you reference the DRM configuration and license URL as follows:drmParams = {
keySystem: "Widevine",
licenseServerURL: "https://license.mux.com/license/widevine/${PLAYBACK_ID}?token=${DRM_LICENSE_JWT}"
}
contentNode = CreateObject("roSGNode", "ContentNode")
contentNode.url = "<content URL>"
contentNode.drmParams = drmParams
contentNode.title = "<your title>"
contentNode.length = <duration in seconds>
' other contentNode properties can be added here,
' then play your video as you normally wouldChromecast devices use Google Cast to send videos from one device to another. There are quite a few steps to set up Google Cast, so we recommend you check out our Google Cast guide for more details.
HLS.js supports DRM via configuration keys in any browser with native MSE support (e.g. old versions of Safari). For browsers that do not support MSE, you will need to use the native video element. Both flows are included in the example below.
// This browser supports MSE and EME, so we can use hls.js
if (Hls.isSupported()) {
var hls = new Hls({
emeEnabled: true,
drmSystems: {
'com.widevine.alpha': {
licenseUrl: 'https://license.mux.com/license/widevine/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}'
},
'com.microsoft.playready': {
licenseUrl: 'https://license.mux.com/license/playready/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}'
},
'com.apple.fps': {
licenseUrl: 'https://license.mux.com/license/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
serverCertificateUrl: 'https://license.mux.com/appcert/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
}
}
});
// This browser supports EME but not MSE, so we need to use the native video element
} else if (video.canPlayType('application/x-mpegURL')) {
video.src = mediaUrl;
video.addEventListener('encrypted', async function(event) {
const initDataType = event.initDataType;
const initData = event.initData;
// Retrieve a MediaKeySystemAccess object to interact with the DRM system
const access = await navigator.requestMediaKeySystemAccess('com.apple.fps', [{
initDataTypes: [initDataType],
videoCapabilities: [{ contentType: 'application/vnd.apple.mpegurl', robustness: '' }],
distinctiveIdentifier: 'not-allowed',
persistentState: 'not-allowed',
sessionTypes: ['temporary'],
}]);
if (!access) {
console.error('Cannot play DRM-protected content with current security configuration on this browser. Try playing in another browser.');
return;
}
// Create DRM keys
const keys = await access.createMediaKeys();
// Get the FairPlay license and certificate
const certificate = await fetch('https://license.mux.com/appcert/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}').then(async (res) => {
const keyBuffer = await res.arrayBuffer();
return new Uint8Array(keyBuffer);
});
if (!certificate) {
console.error('Failed to fetch certificate');
return;
}
// Attach the certificate to the DRM keys
await keys.setServerCertificate(certificate);
// Attach the keys to the video element
await video.setMediaKeys(keys);
// Create a playback session
const session = (video.mediaKeys).createSession();
// Create the data necessary to make a DRM license request
const message = await new Promise((resolve, reject) => {
session.generateRequest(initDataType, initData);
session.addEventListener('message', (messageEvent) => {
resolve(messageEvent.message);
}, { once: true });
});
// Get a DRM license
const response = await fetch('https://license.mux.com/license/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}', {
method: 'POST',
headers: { 'Content-type': 'application/octet-stream' },
body: message,
});
// Attach the license key to the session
const licenseData = await response.arrayBuffer();
await session.update(licenseData);
});
}For more details, check out the HLS.js DRM docs.
Video.js supports DRM via the videojs-contrib-eme plugin.
const player = videojs('vid1', {});
player.eme();
player.src({
src: 'https://stream.mux.com/{playback-id}.m3u8?token={JWT}',
type: 'application/x-mpegURL',
keySystems: {
'com.widevine.alpha': 'https://license.mux.com/license/widevine/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
'com.apple.fps.1_0': {
certificateUri: 'https://license.mux.com/appcert/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
licenseUri: 'https://license.mux.com/license/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
},
'com.microsoft.playready': 'https://license.mux.com/license/playready/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}'
}
});For more details check, out the videojs-contrib-eme docs.
Shaka player supports DRM via configuration keys.
player.configure({
drm: {
servers: {
'com.widevine.alpha': 'https://license.mux.com/license/widevine/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
'com.apple.fps.1_0': 'https://license.mux.com/license/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}',
'com.microsoft.playready': 'https://license.mux.com/license/playready/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}'
},
advanced: {
'com.apple.fps.1_0': {
serverCertificateUri: 'https://license.mux.com/appcert/fairplay/${PLAYBACK_ID}?token=${DRM_LICENSE_TOKEN}'
}
}
}
});For more details, check out the Shaka player DRM docs.
While we have only tested playback with our supported players, there are many others that will work just fine. If your platform supports playback of HLS, CMAF packaged streams, with Widevine, PlayReady, or FairPlay DRM, using CBCS encryption, then Mux might work by following the custom players guide. If you would like us to support additional platforms, let us know.
Checking your video is DRM protected is pretty simple: just take a screenshot! If DRM is working correctly, you should see the video replaced with either a black rectangle, or a single frame from the start of the video.
Currently Mux's DRM feature defaults to a balance of security and playability, including automatically leveraging higher security levels on devices where this is available.
At times customers may want to adjust this balance to increase security levels, specifically for example to meet contractual Hollywood studio security requirements. Please contact us if you need to discuss or adjust the security levels used.
In the future, we will allow self-serve adjustment of security levels through the DRM Configurations API.
In line with common industry practices, only video tracks are currently DRM protected, meaning that audio-only assets and live streams are not protected by DRM.
DRM is an add-on feature to Mux Video, with a $100/month access fee + $0.003 "per license", and discounts available for high volumes.
One DRM license request typically corresponds to one video view. When a viewer starts watching a DRM-protected video, the player requests a license to decrypt and play the content. While licenses and video views usually line up, the exact count can vary depending on each player's caching behavior.