Providers
A DRM provider is the credentials catalogue entry that connects C21 Live Control to an upstream multi-DRM service. Each provider record declares a brand (provider_type), a SPEKE endpoint and the credentials the brand expects. Once registered, the provider can be attached to a Destination through the Destination's drm block.
Schema (DrmProvider)
| UI label | Field | Notes |
|---|---|---|
| Name | name | Display name (≤ 100 characters). |
| Provider type | provider_type | Brand identifier from the server-side catalogue (today AXINOM, EZDRM). Drives the credential field set the form requires. The UI shows the values with human casing (Axinom, EZDRM); the spec and API expect uppercase. |
| SPEKE URL | speke_url | Primary SPEKE endpoint. |
| SPEKE URL backup | speke_url_backup | Optional fallback SPEKE endpoint. |
| Tenant ID | tenant_id | Required when the brand declares requires_tenant_id = true (for example AXINOM). |
| Credentials | credentials | Provider-type-specific envelope. Write-only — GET returns the sentinel •••••••• for stored values. Resending the envelope unchanged on PUT preserves the stored blob. |
| Enabled | enabled | Whether the provider is selectable by Destinations. |
| Validation status | validation_status | One of UNKNOWN, VALID, INVALID. Reset to UNKNOWN after any change that affects connectivity. |
| Last validation | validation_date | Timestamp of the last validateDrmProvider round trip. |
| Validation error | validation_error | Sanitised error message from the last failed validation. |
| Supported systems | supported_systems | Array exposed by the brand. A subset of Widevine, PlayReady, FairPlay. The OpenAPI spec emits the values in uppercase (WIDEVINE / PLAYREADY / FAIRPLAY); this document and the UI use TitleCase for readability. |
Operations
| Action | Method + path | operationId |
|---|---|---|
| List providers | GET /c21apiv2/settings/integrations/drmproviders | getAllDrmProviders |
| Read a provider | GET /c21apiv2/settings/integrations/drmproviders/{providerId} | getDrmProviderById |
| Register a provider | POST /c21apiv2/settings/integrations/drmproviders | addDrmProvider |
| Update a provider | PUT /c21apiv2/settings/integrations/drmproviders/{providerId} | updateDrmProvider |
| Delete a provider | DELETE /c21apiv2/settings/integrations/drmproviders/{providerId} | deleteDrmProvider |
| Validate a provider | POST /c21apiv2/settings/integrations/drmproviders/{providerId}/validate | validateDrmProvider |
Every operation requires the System Administrator role.
Register a provider
Open the form
Open Integrations → DRM → Providers → Add provider.
Fill the fields
Set Name, Provider type, SPEKE URL, optional Tenant ID and the brand-specific Credentials envelope. Keep Enabled on for normal operation.
Save
Submitting calls addDrmProvider. The credentials envelope is encrypted on the server (AES-256-CBC, with a key derived via PBKDF2-SHA256) and never returned again; has_credentials is set to true on the row.
Validate
Run the Validate action. validateDrmProvider round-trips the stored credentials against the upstream SPEKE service and updates validation_status. A failed validation surfaces a sanitised error in validation_error; correct the credentials with an update and re-validate.
Edit and delete
updateDrmProvider is a partial update. Resending the credentials envelope with the sentinel •••••••• values preserves the stored blob; sending any field with a real value re-encrypts the full envelope.
deleteDrmProvider removes the provider. Destinations that referenced the deleted provider via drm.provider_id lose that reference and fail validation at start time until they are pointed at a different provider.
Attaching a provider to a Destination
Once a provider is registered and VALID, attach it on each protected Destination through the drm block (see Destinations):
{
"drm": {
"active": true,
"provider_id": <provider id>,
"contentid": "<content identifier>",
"systems": ["Widevine", "PlayReady"]
}
}
encryption_mode is omitted because the server derives it from systems (no FairPlay → cenc). Sending it explicitly is allowed; the server recomputes the value either way.
A Destination without DRM configured publishes clear.
FAQ
AXINOM and EZDRM. The set is server-driven and additional brands can be added without breaking the API contract.validation_status is reset to UNKNOWN after any change that affects connectivity (SPEKE URL, tenant id, credentials). Run Validate to round-trip credentials against the upstream service; a successful call moves the status to VALID.