Our project requires to control access of a user to a video by applying the rules:
a user needs to authenticate against our application first (it’s our app part),
then a user can find some videos annotations that are available for (it’s our app part),
selecting one of them, the server-side should connect to API.video to ask for security credentials for that video that can be passed to that user and also set that video on API.video to allow the access only from that user,
that user can access that video on API.video and play it, but only once time and for a limited time (for 1 hour as an example),
if that user wants to play it again (for example, by refreshing the page), it’s necessary to go through the application logic again that passes new credentials for it (repeating the cycle from the beginning),
any other user should not be able to access the video,
if possible, including a user IP address into the credentials would be great because it would eliminate even any sharing of the access to the video (if a user is technically on that knowledge level to do it).
Does anybody have experiences to confirm that the described case above is possible to realize with the actual API.video functionality?
This video can be watched by exactly one user. Once it is viewed, the token is invalid, and the link will throw a 404 error (and the player will say “video not available.”
This token is valid for the browser window session.
The second part of this is that the user must re-authenticate to watch again. You can use the api.video analytics to determine if the user has watched the video. Use our dynamic metadata to tag the session with your user’s ID.
When you authenticate the user - you can check “has @mlapis watched this video?” If no results come back - then you can obtain the private video URL. If results come back - then your business logic can decide if they watched enough to block them for a 2nd view.
The last two bullets are handled by the private video mechanism, but we do record the IP, device type and more in each session
We do have many users using private videos in their applications with great success.
Great. Thanks a lot for your quick reply. It’s nice to hear the positive news, and it also means that we can start coding some prototype for our project with the knowledge that there are no serious limits to implement what we need to get.
Hi @anon89371750
What would be the best way to detect it video token is expired? Maybe some event in the player?
We have a private video and a backend that communicates with api video and generates new tokens.
What I am trying to do now is ping the hls manifest from the browser front-end to check if I get 404.
I saw this somewhere else in the forum, but what happens I think is that if I pink a valid the manifest it gets invalidated.
If you ping the manifest - you’ll invalidate the token… Probably not. the best way to check if it is still good. We currently do not have a way to check if the token has been used.
If in doubt - I’d just always generate a new token.