segmentedContentProtection

Property Manager name: Segmented Media Protection
Behavior version: The v2025-09-09 rule format supports the segmentedContentProtection behavior v2.1.
Rule format status: GA, stable
Access: Read/Write
Allowed in includes: Yes

Validates authorization tokens at the edge server to prevent unauthorized link sharing.

Option	Type	Description	Requires
`enabled`	boolean	Enables the segmented content protection behavior.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`key`	object array	Specifies the encryption key to use as a shared secret to validate tokens.		{"displayType":"object array","tag":"input","todo":true} {"if":{"attribute":"enabled","op":"eq","value":true}}
`useAdvanced`	boolean	Allows you to specify advanced `transitionKey` and `salt` options.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`transitionKey`	object array	An alternate encryption key to match along with the `key` field, allowing you to rotate keys with no down time.	`useAdvanced` is `true`	{"displayType":"object array","tag":"input","todo":true} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`salt`	object array	Specifies a salt as input into the token for added security. This value needs to match the salt used in the token generation code.	`useAdvanced` is `true`	{"displayType":"object array","tag":"input","todo":true} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`headerForSalt`	string array	This allows you to include additional salt properties specific to each end user to strengthen the relationship between the session token and playback session. This specifies the set of request headers whose values generate the salt value, typically `User-Agent`, `X-Playback-Session-Id`, and `Origin`. Any specified header needs to appear in the player's request.	`useAdvanced` is `true`	{"displayType":"string array","tag":"input","todo":true} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`sessionId`	boolean	Enabling this option carries the `session_id` value from the access token over to the session token, for use in tracking and counting unique playback sessions.	`useAdvanced` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`dataPayload`	boolean	Enabling this option carries the `data/payload` field from the access token over to the session token, allowing access to opaque data for log analysis for a URL protected by a session token.	`useAdvanced` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`ip`	boolean	Enabling this restricts content access to a specific IP address, only appropriate if it does not change during the playback session.	`useAdvanced` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`acl`	boolean	Enabling this option carries the `ACL` field from the access token over to the session token, to limit the requesting client's access to the specific URL or path set in the `ACL` field. Playback may fail if the base path of the master playlist (and variant playlist, plus segments) varies from that of the `ACL` field.	`useAdvanced` is `true`	{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"useAdvanced","op":"eq","value":true}}
`enableTokenInURI`	boolean	When enabled, passes tokens in HLS variant manifest URLs and HLS segment URLs, as an alternative to cookies.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`hlsMasterManifestFiles`	string array	Specifies the set of filenames that form HLS master manifest URLs. You can use `*` wildcard character that matches zero or more characters. Make sure to specify master manifest filenames uniquely, to distinguish them from variant manifest files.	`enableTokenInURI` is `true`	{"displayType":"string array","tag":"input","todo":true} {"if":{"attribute":"enableTokenInURI","op":"eq","value":true}}
`enableTokenInQueryString`	boolean	When enabled, in the DASH media encryption variant, passes tokens in query strings, as an alternative to cookies.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"attribute":"enabled","op":"eq","value":true}}
`tokenRevocationEnabled`	boolean	Enable this to deny requests from playback URLs that contain a `TokenAuth` token that uses specific token identifiers.		{"displayType":"boolean","tag":"input","type":"checkbox"} {"if":{"op":"and","params":[{"attribute":"enabled","op":"eq","value":true},{"attribute":"modulesOnContract","op":"contains","scope":"global","value":"AccessRevocation"}]}}
`revokedListId`	string	Identifies the `TokenAuth` tokens to block from accessing your content.	`tokenRevocationEnabled` is `true`	{"displayType":"string","tag":"input","type":"text"} {"if":{"attribute":"tokenRevocationEnabled","op":"eq","value":true}}
`hlsMediaEncryption`	boolean	Enables HLS Segment Encryption.		{"displayType":"boolean","tag":"input","type":"checkbox"}
`dashMediaEncryption`	boolean	Whether to enable DASH Media Encryption.		{"displayType":"boolean","tag":"input","type":"checkbox"}