How Tos

Protect a Live stream with multi-DRM

Register a DRM provider and attach it to a Publishing — through the UI, through the API, or both.

Available in: UI · API

Use this how-to when a Live stream must reach web, Windows and Apple clients with DRM enforced on every platform. The integration model is the same regardless of the surface: register a DRM provider once, then attach it to each protected Destination.

When to use this

When a DASH, CMAF or HLS / TS Destination on a Live stream must encrypt segments and have license URLs in the manifest. For the broader concept reference see DRM.

Prerequisites

  • The System Administrator role. The DRM provider CRUD is gated to that role; Operators cannot register, validate, edit or delete providers.
  • A multi-DRM vendor account. The catalogue publishes AXINOM and EZDRM today. From the vendor you receive a SPEKE endpoint, the credentials envelope expected by the brand and — for brands that need it — a tenant id.
  • A DASH, CMAF or HLS / TS Destination on the Live stream that will carry the protected output.

Via UI

Navigation: Integrations → DRM → Providers.

Register the DRM provider

Open Integrations → DRM → Providers and click Add provider. The form maps to the DrmProviderCreateRequest schema:

UI labelAPI fieldNotes
NamenameDisplay name (≤ 100 characters).
Provider typeprovider_typeOne of the values from the server-side catalogue (today AXINOM, EZDRM).
SPEKE URLspeke_urlPrimary SPEKE endpoint.
SPEKE backup URLspeke_url_backupOptional fallback.
Tenant idtenant_idRequired when the chosen Provider type declares requires_tenant_id = true.
CredentialscredentialsProvider-specific envelope. Write-only — GET returns the redacted sentinel value.
EnabledenabledWhether the provider is selectable by Destinations.

Submit. The new row appears in the providers list with Validation status: UNKNOWN.

Validate

Run the Validate action on the new provider row. The handler round-trips the credentials against the upstream SPEKE service. The Validation status column flips to VALID (success) or INVALID (failure). A failure surfaces a sanitised error in Validation error; correct the credentials with Edit and re-validate.

Attach the provider to a Destination

Open the Destination under Destinations and fill the DRM block:

UI labelAPI fieldNotes
Activedrm.activeToggle that turns DRM on for this Destination.
Providerdrm.provider_idPicker over the registered providers (only enabled providers appear).
Content iddrm.contentidThe content identifier expected by the vendor.
Systemsdrm.systems[]Any combination of Widevine, PlayReady, FairPlay.
Encryption modedrm.encryption_modeOne of cenc or cbcs.

Save. The Destination's row shows a shield indicator when DRM is active.

Start the Live stream

Start the Live stream from On air or the Live stream's detail page. The encoder requests keys from the configured SPEKE endpoint, encrypts the segments and writes the license URLs into the manifest.

Via API

DRM provider CRUD:

ActionMethod + pathoperationId
List providersGET /c21apiv2/settings/integrations/drmprovidersgetAllDrmProviders
Create a providerPOST /c21apiv2/settings/integrations/drmprovidersaddDrmProvider
Validate a providerPOST /c21apiv2/settings/integrations/drmproviders/{providerId}/validatevalidateDrmProvider
Update a providerPUT /c21apiv2/settings/integrations/drmproviders/{providerId}updateDrmProvider
Delete a providerDELETE /c21apiv2/settings/integrations/drmproviders/{providerId}deleteDrmProvider

The DRM block on a Destination is set through addPublishing / updatePublishing:

# 1. Register the provider
curl -X POST "https://<your-host>/c21apiv2/settings/integrations/drmproviders" \
  -H "Authorization: Bearer <YOUR_API_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "MyDRMProvider",
    "provider_type": "AXINOM",
    "speke_url": "https://drm-axinom.example/speke/v2",
    "tenant_id": "<tenant>",
    "credentials": { "...": "..." },
    "enabled": true
  }'

# 2. Validate
curl -X POST "https://<your-host>/c21apiv2/settings/integrations/drmproviders/<providerId>/validate" \
  -H "Authorization: Bearer <YOUR_API_TOKEN>"

# 3. Attach to an existing DASH/CMAF/HLS Publishing
curl -X PUT "https://<your-host>/c21apiv2/publishings/<publishingId>" \
  -H "Authorization: Bearer <YOUR_API_TOKEN>" \
  -H "Content-Type: application/json" \
  -d '{
    "drm": {
      "active": true,
      "provider_id": <providerId>,
      "contentid": "<vendor content id>",
      "systems": ["Widevine", "PlayReady"],
      "encryption_mode": "cenc"
    }
  }'

validation_status carries UNKNOWN (just registered), VALID (validation succeeded) or INVALID (validation failed). Common patterns:

Patterndrm.systemsdrm.encryption_mode
DASH + CMAF, web + Microsoft["Widevine", "PlayReady"]cenc
CMAF / HLS, Apple coverage["FairPlay"] (or all three)cbcs
Universal cbcs delivery["Widevine", "PlayReady", "FairPlay"]cbcs

Verify

  • The provider row reads Validation status: VALID.
  • GET /c21apiv2/publishings/{publishingId} returns the drm block with active: true and the expected systems / encryption_mode.
  • Players from each target ecosystem successfully decrypt and play the protected output:
EcosystemBrowser / deviceManifest
WidevineChrome or Edge on desktopDASH or CMAF
PlayReadyEdge on WindowsDASH or CMAF
FairPlaySafari on iOS or macOSHLS / CMAF

The upstream vendor's dashboard logs one license issuance per session per ecosystem.

FAQ

Copyright © 2026