About Access Revocation
Adaptive Media Delivery supports Token Authentication. You can apply it to generate unique tokens and include them in requests for your content. Akamai validates these tokens to grant access to your media. Access Revocation lets you recognize tokens that have been hijacked and flag them to block requests that include them. Use the Access Revocation API to generate a “revocation list” of these tokens. You can also set a time to live for this revocation period to automatically “unrevoke” these tokens, or you can manually remove them from a revocation list. The API also lets you review your revocation lists and Access Revocation settings.
Ensure you can use Access Revocation
You typically can't use Access Revocation if you already have a unique Token Authentication scenario. A unique scenario is one that's set up by your Akamai account team. It's custom and outside the default scenarios you can define using settings in the Segmented Media Protection behavior. If you have a unique scenario, contact your account team to see if you can use Access Revocation.
Get Access Revocation on your contract
You can check by following these steps:
-
Access Akamai Control Center.
-
Select ☰ > ACCOUNT ADMIN > Contracts.
-
Click your Contract ID in the table.
-
Type
adaptive media
in the Filter field and look for theAdaptiveMediaDelivery::AccessRevocation
in the Engineering Product Name column:-
If you see it. You're ready to go.
-
If you don't see it. Reach out to your Akamai account team for help getting it added to your contract.
-
Set up authentication credentials
You use the Identity and Access Management tool in Akamai Control Center to set up an API client. An API client consists of several values your API client uses to authenticate calls to Akamai APIs. While you're creating your API client, you'll need to do the following:
-
Verify you have the API service. In Identity and Access Management, you'll come to the API client for you interface. Click Show additional details and look for the TaaS entry in the APIs table and make sure its access level is set to READ-WRITE. This gives you access to all operations in this API. If you don't see it, or it's set to READ-ONLY access, talk to your company's Akamai administrator to get your user updated, or reach out to your Akamai account team.
-
Gather values. In the Credentials section, make note of the
client_secret
,host
,access_token
, andclient_token
values.
The
client_secret
is only revealed onceThis value is only revealed after you first create an API client. You can't come back to this interface to get it. So, make sure you make note of it for use. You can use the Download or Copy credential buttons in the interface to save all of your values.
Get your contractId
contractId
Several operations in this API require this value. You can find your contractId
using the Contract API:
-
List contracts. If you only have one, you’re done. Store this as your
contractId
. If you have more than one, make note of these values and continue. -
List products per contract. Set the {contractId} variable to one you’ve noted.
-
Look for a
marketingProductId
of Token Authentication as a Service or TaaS in the response. If you find it, this contract has Access Revocation enabled, and you can use thiscontractId
.
If you’re not sure of the right contract to use, or you see Access Revocation on more than one contract, check with your local administrator or contact your account representative.
Know the workflow
There are several things you can do with the Access Revocation API, key among them is creating a revocation list and adding tokens to it that you want blocked. Here are the basic steps to get this done:
-
Generate a token and apply it to your content. Extract the token's
session_id
value for use later in this process. -
Add a revocation list to establish a new list. Store the
name
you set for it. -
Create a new AMD property. You can use the Property Manager API (PAPI) for this.
-
Enable token authentication via the
segmentedContentProtection
behavior in an applicable rule. You need to set at least these values:-
enabled
. Set totrue
. -
key
. You need to generate an access token to be used. This is the secret "key" value you used when generating it. -
useAdvanced
. Set totrue
. -
sessionId
. Set totrue
. -
tokenRevocationEnabled
. Set totrue
.
-
-
Save the AMD property and activate it on the staging network to test it. When you're satisfied, activate it on the production network to start delivering your media.
-
Revoke tokens to add one or more offending tokens to the revocation list. This blocks requests that include them from access.