About Access Revocation

Adaptive Media Delivery supports Token Authentication. You can apply it to generate unique tokens and include them in requests for your content. ​Akamai​ validates these tokens to grant access to your media. Access Revocation lets you recognize tokens that have been hijacked and flag them to block requests that include them. Use the Access Revocation API to generate a “revocation list” of these tokens. You can also set a time to live for this revocation period to automatically “unrevoke” these tokens, or you can manually remove them from a revocation list. The API also lets you review your revocation lists and Access Revocation settings.

Ensure you can use Access Revocation

You typically can't use Access Revocation if you already have a unique Token Authentication scenario. A unique scenario is one that's set up by your ​Akamai​ account team. It's custom and outside the default scenarios you can define using settings in the Segmented Media Protection behavior. If you have a unique scenario, contact your account team to see if you can use Access Revocation.

Get Access Revocation on your contract

You can check by following these steps:

  1. Access ​Akamai Control Center​.

  2. Select > ACCOUNT ADMIN > Contracts.

  3. Click your Contract ID in the table.

  4. Type adaptive media in the Filter field and look for the AdaptiveMediaDelivery::AccessRevocation in the Engineering Product Name column:

    • If you see it. You're ready to go.

    • If you don't see it. Reach out to your ​Akamai​ account team for help getting it added to your contract.

Set up authentication credentials

You use the Identity and Access Management tool in ​Akamai​ ​Control Center​ to set up an API client. An API client consists of several values your API client uses to authenticate calls to ​Akamai​ APIs. While you're creating your API client, you'll need to do the following:

  1. Verify you have the API service. In Identity and Access Management, you'll come to the API client for you interface. Click Show additional details and look for the TaaS entry in the APIs table and make sure its access level is set to READ-WRITE. This gives you access to all operations in this API. If you don't see it, or it's set to READ-ONLY access, talk to your company's ​Akamai​ administrator to get your user updated, or reach out to your ​Akamai​ account team.

  2. Gather values. In the Credentials section, make note of the client_secret, host, access_token, and client_token values.

🚧

The client_secret is only revealed once

This value is only revealed after you first create an API client. You can't come back to this interface to get it. So, make sure you make note of it for use. You can use the Download or Copy credential buttons in the interface to save all of your values.

Get your contractId

Several operations in this API require this value. You can find your contractId using the Contract API:

  1. List contracts. If you only have one, you’re done. Store this as your contractId. If you have more than one, make note of these values and continue.

  2. List products per contract. Set the {contractId} variable to one you’ve noted.

  3. Look for a marketingProductId of Token Authentication as a Service or TaaS in the response. If you find it, this contract has Access Revocation enabled, and you can use this contractId.

📘

If you’re not sure of the right contract to use, or you see Access Revocation on more than one contract, check with your local administrator or contact your account representative.

Know the workflow

There are several things you can do with the Access Revocation API, key among them is creating a revocation list and adding tokens to it that you want blocked. Here are the basic steps to get this done:

  1. Generate a token and apply it to your content. Extract the token's session_id value for use later in this process.

  2. Add a revocation list to establish a new list. Store the name you set for it.

  3. Create a new AMD property. You can use the Property Manager API (PAPI) for this.

  4. Enable token authentication via the segmentedContentProtection behavior in an applicable rule. You need to set at least these values:

    • enabled. Set to true.

    • key. You need to generate an access token to be used. This is the secret "key" value you used when generating it.

    • useAdvanced. Set to true.

    • sessionId. Set to true.

    • tokenRevocationEnabled. Set to true.

  5. Save the AMD property and activate it on the staging network to test it. When you're satisfied, activate it on the production network to start delivering your media.

  6. Revoke tokens to add one or more offending tokens to the revocation list. This blocks requests that include them from access.