Widevine license token request / response

The Widevine license token interface provides production and test services.

This HTTP request returns a token that can be redeemed for a Widevine license.

Method: GET, POST (with a www-url-encoded body that contains parameters for both methods)

URLs:

  • Production: https://wv-gen.{prod_domain}/hms/wv/token

  • Test: [https://wv-gen.test.expressplay.com/hms/wv/token](https://wv-gen.test.expressplay.com/hms/wv/token)

  • Sample request:

    https://wv-gen.service.expressplay.com/hms/wv/token?customerAuthenticator=
    <ExpressPlay customer authenticator identifier>
    
  • Sample Response:

    https://wv.service.expressplay.com/hms/wv/rights/?ExpressPlayToken=<base64-encoded ExpressPlay token>
    

Table 13: Token Query Parameters

Query Parameter Description Required?
customerAuthenticator

This is your customer API key, one each for your production and test environments. You can find this on the ExpressPlay Admin Dashboard tab.

Yes
errorFormat Either html or json .

If html (the default) an HTML representation of any errors is provided in the entity body of the response. If json is specified, a structured response in JSON format is returned. See JSON Errors for details.

The mime type of the response is either text/uri-list on success, text/html for html error format, or application/json for json error format.

No

Table 14: License Query Parameters

Query Parameter Description Required?
generalFlags A 4 byte hexadecimal string representing the license flags. ‘0000’ is the only allowed value No
kek Key Encryption Key (KEK). Keys are stored encrypted with a KEK using a key wrapping algorithm (AES Key Wrap, RFC3394). No
kid A 16 byte hexadecimal string representation of the content encryption key or a string ^somestring'. The length of the string followed by the ^ cannot be greater than 64 characters. Check note below for an example. Yes
ek A hex string representation of the encrypted content key. No
contentKey A 16 byte hexadecimal string representation of the content encryption key Yes, unless kek and ek or kid are provided
contentId Content Id No
securityLevel Allowed values are 1-5.
  • 1 = SW_SECURE_CRYPTO
  • 2 = SW_SECURE_DECODE
  • 3 = HW_SECURE_CRYPTO
  • 4 = HW_SECURE_DECODE
  • 5 = HW_SECURE_ALL
Yes
hdcpOutputControl Allowed values are 0, 1, 2.
  • 0 = HDCP_NONE
  • 1 = HDCP_V1
  • 2 = HDCP_V2
Yes
licenseDuration * Duration of the license in seconds. If not provided, it indicates that there is no limit to the duration. Please check the note below for detailed information. No
wvExtension A short form wrapping extensionType and extensionPayload, as a comma separated string. See format below. Example: …&wvExtension=wudo,AAAAAA==&… No, any number can be used

About licenseDuration:

  1. Playback will stop licenseDuration seconds after beginning of playback.
  2. To allow playback to be stopped/resumed for an unlimited amount of time, omit licenseDuration (it will default to infinite). Otherwise specify the amount of time during which end-users should be able to enjoy the stream.

Table 15: Token Restriction Query Parameters

Query Parameter Description Required?
expirationTime Expiration time of this token. This value MUST a string in RFC 3339 date/time format in the ‘Z’ zone designator (“Zulu time”), or an integer preceded by a + sign. An example of an RFC 3339 date/time is 2006-04-14T12:01:10Z.
If the value is a string in RFC 3339 date/time format, then it represents an absolute expiration date/time for the token. If the value is an integer preceded by a + sign, then it is interpreted as a relative number of seconds, from issuance, that the token is valid. For example, +60 specifies one minute.
The maximum and default (if not specified) token lifetime is 30 days.
No

Table 16: Correlation Query Parameters

Query Parameter Description Required?
cookie Arbitrary string up to 32 characters long carried in the token and logged by the token redemption server. Can be used to correlate log entries at the redemption server and those at the service provider’s servers. No

Table 17: HTTP Response

HTTP Status Code Description Content-Type Entity Body Contains
200 OK No error. text/uri-list License acquisition URL + token
400 Bad Request Invalid args text/html or application/json Error description
401 Unauthorized Auth failed text/html or application/json Error description
404 Not found Bad URL text/html or application/json Error description
50x Server Error Server error text/html or application/json Error description

Table 18: Event Error Codes

Code Description
-2002 Invalid token expiration time: <details>
-2003 Invalid IP address
-2005 Invalid content encryption key: <details>
-2008 Invalid output control flags specified: <details>
-2017 Authentication token must be supplied
-2018 Authentication token invalid: <details>

Note: This can happen if the authenticator is wrong or when accessing the test API at *.test.expressplay.com using the production authenticator and vice versa.

Note: The Test SDK and Advanced Test Tool (ATT) only work with *.test.expressplay.com , whereas production devices must use *.service.expressplay.com

.
-2019 Insufficient tokens available
-2022 Missing rental period end time
-2023 Missing rental play duration
-2025 Invalid rental play duration
-2027 Content encryption key must be 32-hexadecimal digits long
-2030 ExpressPlay Admin error: <details>
-2031 Service Account Disabled
-2033 Invalid cookie
-2034 Invalid Output Control, values out of specified range
-2035 No corresponding value specified
-2036 Extension type should be 4 characters
-2037 Extension payload should be Base64 encoded
-2040 OutputControlFlag must be encode 4 bytes
-3004 Invalid error format specified: <format>
-4001 Device could not be authenticated
-4010 Invalid token
-4018 Missing kid
-4019 Failed to get content key from key storage service
-4020 kid must be 32 hexadecimal characters long
-4021 kid must be 64 characters long after the '^'
-4022 Invalid kid
-4024 Invalid encrypted key or kek
-5003 Invalid general flags
-6005 Invalid key data specified
-6007 Invalid rental duration specified
-7002 Device ID binding is not supported for Widevine
-7003 Missing security level value
-7004 Invalid security level value
-7006 Missing HDCP output control value
-7007 Invalid license duration specified
-7008 Failed to generate Widevine license
-7009 Invalid WVExtension parameters specified
-7011 Widevine option disabled

On this page