USP supports Verimatrix VCAS. You need to fetch a content key with the VCAS API and pass it on the commandline when creating the server manifest.

Options for VCAS with AES-128


The key id (KID) and content encryption key (CEK) are passed with the --hls.key option where KID and CEK are separated by a colon, e.g. --hls.key=KID:CEK

As no KID is used for AES-128, this can be left empty. The CEK is a (random) 128 bit value and must be coded in hex (base61).


The URL used by the player to retrieve the key.

Using the VCAS API

Obtaining a key from the VCAS license server is a two step process.

The first step is to create a key, for instance:

# create 1 key (c=1)
curl -v \
 -X POST \
  • the HTTP verb used is POST
  • the c parameter is used to indicate the number of keys to create

The second step is to get the created key:

# get the key (p=0)
binary_key=$(curl -v \
 -X GET \
  • the HTTP verb used is GET
  • the p parameter is used to indicate which key should be returned

The return of the second call is a binary key, which should be converted to hex (base16) before it can be used with mp4split.

Creating a server manifest with Verimatrix VCAS

The following command creates a server manifest file with the key information embedded:


curl -v \
 -X POST \

binary_key=$(curl -v \
 -X GET \

key_hex16=$(echo -n $binary_key | hexdump -e '16/1 "%02x"')

mp4split -o video.ism \

Please note that in the above example some dummy values are used:

  • you need to provide values for r, t, c and p (see the Verimatrix documentation)
  • VERIMATRIX_URL should be replaced with the URL provided by Verimatrix
  • YOUR_USER_ID should be replaced with your customer id, provided by Verimatrix
  • VOD can also be another type (see the Verimatrix documentation)