segmented_​content_​protection

Version: v2025-01-13Includes use: Yes

Behavior name: Segmented Media Protection

Validates authorization tokens at the edge server to prevent unauthorized link sharing.

Default behavior

These samples reflect the behavior's default settings. You can use these as is in your configurations or make adjustments based on the behavior's available options.

data "akamai_property_rules_builder" "segmented_content_protection" {
  rules_v2025_02_18 {
    name     = "Segmented Media Protection"
    comments = "Validates authorization tokens at the edge server to prevent unauthorized link sharing."
    behavior {
      segmented_content_protection {
        enabled = true,
        key = "",
        use_advanced                 = false
        enable_token_in_uri          = false
        enable=_toke_in_query_string = false
        hls_media_encryption         = false
        dash_media_encryption        = false
      }
    }
  }
}
"behaviors": [
  {
    "name": "segmentedContentProtection",
    "options": {
      "enabled": true,
      "key": "",
      "useAdvanced": false,
      "enableTokenInURI": false,
      "enableTokenInQueryString": false,
      "hlsMediaEncryption": false,
      "dashMediaEncryption": false
    }
  }
]

Options

Option Description
enabled
Enables the segmented content protection behavior.
key
Specifies the encryption key to use as a shared secret to validate tokens.
use_advanced
Allows you to specify advanced transition_key and salt options.
transition_key
Alternate encryption keys that let you to rotate keys with no down time.
salt
Specifies a salt as input into the token for added security. This value needs to match the salt used in the token generation code.
header_for_salt
This allows you to include additional salt properties specific to each end user to strengthen the relationship between the session token and playback session. This specifies the set of request headers whose values generate the salt value, typically User-Agent, X-Playback-Session-Id, and Origin. Any specified header needs to appear in the player's request.
session_id
Enabling this option carries the session_id value from the access token over to the session token, for use in tracking and counting unique playback sessions.
data_payload
Enabling this option carries the data/payload field from the access token over to the session token, allowing access to opaque data for log analysis for a URL protected by a session token.
ip
Enabling this restricts content access to a specific IP address, only appropriate if it does not change during the playback session.
acl
Enabling this option carries the ACL field from the access token over to the session token, to limit the requesting client's access to the specific URL or path set in the ACL field. Playback may fail if the base path of the master playlist (and variant playlist, plus segments) varies from that of the ACL field.
enable_token_in_uri
When enabled, passes tokens in HLS variant manifest URLs and HLS segment URLs, as an alternative to cookies.
hls_master_manifest_files
Specifies the set of filenames that form HLS master manifest URLs. You can use * wildcard character that matches zero or more characters. Make sure to specify master manifest filenames uniquely, to distinguish them from variant manifest files.
enable_token_in_query_string
When enabled, in the DASH media encryption variant, passes tokens in query strings, as an alternative to cookies.
token_revocation_enabled
Enable this to deny requests from playback URLs that contain a TokenAuth token that uses specific token identifiers.
revoked_list_id
Identifies the TokenAuth tokens to block from accessing your content.
hls_media_encryption
Enables HLS Segment Encryption.
dash_media_encryption
Whether to enable DASH Media Encryption.