DRM Providers

Workflow

End-to-end workflow for protecting a Live stream with DRM in C21 Live Control.

This page walks the operator-facing DRM workflow end to end:

  1. Register a DRM provider (the credentials catalogue entry).
  2. Validate the provider against the upstream SPEKE service.
  3. Attach the provider to a Destination.
  4. Bind the Destination to a Live stream and start the broadcast.
  5. Verify playback on each target ecosystem.

Step 1 — Register a DRM provider

Open Integrations → DRM → Providers and choose Add provider. Fill in:

  • Name — display name.
  • Provider typeAXINOM, EZDRM (today's catalogue).
  • SPEKE URL — primary SPEKE endpoint.
  • Tenant ID — required by brands that declare requires_tenant_id = true (for example AXINOM).
  • Credentials — provider-type-specific envelope.

See Providers for the field-by-field reference.

Step 2 — Validate the provider

Run Validate (calls validateDrmProvider). The handler round-trips the stored credentials against the upstream SPEKE service and updates validation_status (UNKNOWN / VALID / INVALID). A failed validation surfaces a sanitised error in validation_error — fix the credentials with Edit and re-validate.

Step 3 — Attach the provider to a Destination

Open the Destination that should carry DRM (DASH, CMAF or HLS / TS) and fill its drm block:

FieldValue
activetrue
provider_idThe id of the validated provider.
contentidThe content identifier the upstream vendor expects on key requests.
systemsSubset of Widevine, PlayReady, FairPlay. FairPlay cannot be combined with the others on the same Destination — use separate Destinations instead.
encryption_modeServer-derived: cbcs when systems includes FairPlay, cenc otherwise. Optional in the request body — the server recomputes the value either way.

A Destination without drm.active publishes clear. Different Destinations inside the same Destination group can carry different DRM blocks — common pattern for universal coverage:

  • A DASH / CMAF Destination with systems = ["Widevine", "PlayReady"] (server sets encryption_mode = cenc) for Chrome / Android / Windows / Edge.
  • A separate HLS / CMAF Destination with systems = ["FairPlay"] (server sets encryption_mode = cbcs) for Safari / iOS / macOS.

Bundle them in a Destination group to bind both to a Live stream through one reference.

Step 4 — Bind to a Live stream

Bind the Destination (or the Destination group containing it) to a Live stream from the Live streams editor and start the broadcast. The encoder requests keys from the configured SPEKE endpoint, encrypts the segments and writes the license URLs into the manifest.

Step 5 — Verify playback

Validate that each target ecosystem can play the protected output:

  • Widevine — Chrome or Edge on desktop, playing the DASH or CMAF manifest.
  • PlayReady — Edge on Windows, playing the DASH or CMAF manifest. Confirm the player negotiates PlayReady, not Widevine.
  • FairPlay — Safari on iOS or macOS, playing the HLS / CMAF manifest.

The upstream provider's dashboard should log one license issuance per session per ecosystem.

FAQ

Copyright © 2026