Widevine
Widevine in C21 Live Control
Widevine is Google's DRM. It reaches Chrome, Edge, Android, Chromecast and Android TV. In Live Control it appears as one of the three systems exposed by DrmProvider.supported_systems and one of the values a Destination's drm.systems[] array can carry.
This page covers what goes into the provider record when the upstream multi-DRM service supports Widevine. For the end-to-end flow, see DRM workflow. For the provider catalogue and CRUD, see Providers.
Where the configuration comes from
Widevine integrations are issued by Google to content owners and packagers. Most C21 Live Control deployments do not connect to Google's license server directly; they go through a multi-DRM provider (for example AXINOM or EZDRM) that runs the Widevine license server and exposes a single integration point with a SPEKE endpoint.
Before registering the provider in Live Control, the multi-DRM vendor hands over:
- The SPEKE endpoint URL (mandatory).
- The credentials expected by that provider type (auth header or token; the exact set is advertised by the server-side catalogue).
- A tenant identifier when required by the brand (
AXINOMuses one; others may not).
Registering the provider
Open Integrations → DRM → Providers → Add provider and fill the form. The fields map to DrmProviderCreateRequest:
| Field | Notes |
|---|---|
| Name | Display name (≤ 100 characters). |
| Provider type | One of the values from the server-side catalogue (today AXINOM, EZDRM). |
| SPEKE URL | Primary SPEKE endpoint. Required. |
| SPEKE URL backup | Optional fallback SPEKE endpoint. |
| Tenant ID | Required when the chosen provider_type declares requires_tenant_id = true (for example AXINOM). |
| Credentials | Provider-type-specific credentials envelope. Write-only — never returned by GET (the API redacts stored values to ••••••••). |
| Enabled | Whether the provider is selectable by Destinations. |
Save the form. addDrmProvider issues the provider id used to attach the provider to a Destination.
Validating the provider
After saving, run validateDrmProvider (the Validate action in the UI). The handler round-trips the stored credentials against the upstream SPEKE service and updates validation_status (UNKNOWN / VALID / INVALID) plus validation_date. A failed validation surfaces a sanitised error in validation_error.
Attaching Widevine to a Destination
DRM is applied to a Destination via its drm block (see Destinations):
active = true.provider_idset to the Widevine-capable provider above.systemsincludesWidevine. Combine withPlayReadyto cover Microsoft devices on the same manifest.encryption_modeis optional; the server derives it fromsystems(noFairPlay→cenc).contentidset to the content identifier the upstream vendor expects on key requests.
FAQ
supported_systems includes Widevine and set the Destination's drm.systems = ["Widevine"]. The resulting output covers Chrome, Edge and Android. Add PlayReady to the same manifest to cover Windows, Edge legacy, Xbox and many smart TVs.cenc is the standard. For deployments that also need FairPlay (HLS / CMAF), cbcs lets you package once and serve under both manifests when every client supports it.