DRM Providers

Widevine

Register a Widevine-capable DRM provider in C21 Live Control and attach it to a Destination.

Widevine in C21 Live Control

Widevine is Google's DRM. It reaches Chrome, Edge, Android, Chromecast and Android TV. In Live Control it appears as one of the three systems exposed by DrmProvider.supported_systems and one of the values a Destination's drm.systems[] array can carry.

This page covers what goes into the provider record when the upstream multi-DRM service supports Widevine. For the end-to-end flow, see DRM workflow. For the provider catalogue and CRUD, see Providers.

Where the configuration comes from

Widevine integrations are issued by Google to content owners and packagers. Most C21 Live Control deployments do not connect to Google's license server directly; they go through a multi-DRM provider (for example AXINOM or EZDRM) that runs the Widevine license server and exposes a single integration point with a SPEKE endpoint.

Before registering the provider in Live Control, the multi-DRM vendor hands over:

  • The SPEKE endpoint URL (mandatory).
  • The credentials expected by that provider type (auth header or token; the exact set is advertised by the server-side catalogue).
  • A tenant identifier when required by the brand (AXINOM uses one; others may not).

Registering the provider

Open Integrations → DRM → Providers → Add provider and fill the form. The fields map to DrmProviderCreateRequest:

FieldNotes
NameDisplay name (≤ 100 characters).
Provider typeOne of the values from the server-side catalogue (today AXINOM, EZDRM).
SPEKE URLPrimary SPEKE endpoint. Required.
SPEKE URL backupOptional fallback SPEKE endpoint.
Tenant IDRequired when the chosen provider_type declares requires_tenant_id = true (for example AXINOM).
CredentialsProvider-type-specific credentials envelope. Write-only — never returned by GET (the API redacts stored values to ••••••••).
EnabledWhether the provider is selectable by Destinations.

Save the form. addDrmProvider issues the provider id used to attach the provider to a Destination.

Validating the provider

After saving, run validateDrmProvider (the Validate action in the UI). The handler round-trips the stored credentials against the upstream SPEKE service and updates validation_status (UNKNOWN / VALID / INVALID) plus validation_date. A failed validation surfaces a sanitised error in validation_error.

Attaching Widevine to a Destination

DRM is applied to a Destination via its drm block (see Destinations):

  • active = true.
  • provider_id set to the Widevine-capable provider above.
  • systems includes Widevine. Combine with PlayReady to cover Microsoft devices on the same manifest.
  • encryption_mode is optional; the server derives it from systems (no FairPlaycenc).
  • contentid set to the content identifier the upstream vendor expects on key requests.

FAQ

Copyright © 2026