Using Apache's mod_auth_token

Table of Contents

This module is not compiled by default, so you may have to install it first. Please see the mod_auth_token page for instructions.


We will be securing our content in the directory /protected.

AuthTokenSecret "secret"
AuthTokenPrefix "/protected/"
AuthTokenTimeout 3600


On the client we generate an MD5 hash for a specific URL.


ISM_TIMESTAMP=$(php -r "print dechex(time());")
ISM_HASH=$(php -r "print md5('secret/alvin/alvin.ism$(ISM_TIMESTAMP)');"

The ISM_HASH hash is calculated over your secret password, the path to the video server manifest file and the current time.

The last thing to do is to add the hash and timestamp parameters to the URLs that you would normally provide to the player.

For HSS:


For HLS:


For HDS:



All the requests for a presentation (the playlists, the media playlists, the fragments) are secured, and thus all URLs must have the security hash and timestamp tagged on to their URL. Note that you do not have to do anything for this.

You only have to add the security attributes to the presentation manifest/playlist file. The webserver takes care of adding the security parameters to any URLs referenced in the playlists and media playlists.

Just make sure that you do not have static copies of the playlists (.m3u8 / .f4m / .ismc) stored on disk and let the webserver generate them dynamically.