Confused about signed URLs/Tokens

Hi everyone, working on a video course website/app and I’m confused on how to implement video signed urls.

First of all, what additional protection does signed urls provide? I understand that the videoid gets replaced by a unique token but if I already the video gated through membership requirements would the signed urls be redundant?

My second issue is that I’m completely lost on how to get started with the workflow described in the FAQ. I’m surprised that I can’t find a video tutorial anywhere either. Does anyone know of a resource that explains the process for a beginner with limited coding knowledge?

Any advice would be much appreciated.

For one, the signed URL can be time limited, with access to the URL gated to your own users, giving you all sorts of abilities to restrict who can access the URL and limit the potential for URL sharing.

Signed URLs vs. Video IDs
Signed URLs are useful for limiting access to your videos. In the scenario your describe where you have a membership site, if you don’t use signed URLs, it means the videos are publicly accessible. The question you pose is interesting: “what is the upside of signed URLs if the videos are only visible to members?”. The answer is simple: someone could sign up, get the video ids (relatively easy) and then continue accessing the videos even after their membership has expired.

If you were using a signed URL, on the otherhand, you could do things like provide an expiration value so the token used to watch the video expires after n hours. This way, even if someone saves the token, it will stop working after n hours.

Using Signed URLs
There are two ways to generate signed URL tokens. I will use option 1 since it is simpler and ideal for most use cases.

Let’s say your membership website has a page called members.php, which is where members land when they login successfully.

Your members.php page would make an AJAX call to another script that is on your server that is responsible for requesting a signed URL. Let’s call this script: get_signed_url.php

get_signed_url.php will generally do the following:

  1. Check if the user is actually logged in
  2. If the user is logged in, the script will call the /token Stream endpoint described here requesting a signed URL that allows the user to watch a given video id
  3. Stream API will return the signed URL token to your script
  4. Your script will return the signed URL token to your frontend (members.php page)
  5. Your members.php page will take the signed url token returned by get_signed_url.php and generate the embed code that uses the signed url token instead of the video id

Note: You don’t need to use any particular language for your backend. As long as your backend can make REST API calls, you can use it to generate signed URL tokens.

Let me know if this helps. Happy to clarify anything.

1 Like

Thanks for the information @thedaveCA and @zaid , ok in that case I’ll have to figure out how to implement signed url’s (I’m using bubble to build a video course app).

One follow up question, is there a difference in perfomance between option 1 and 2? Will option 1 have a slower response time since it’s using an external point to generate the tokens?

Thanks again for the help

Yes, the performance with option 1 might be slightly slower (I doubt it would be noticeable for the end user)

The real reason to use option 2 is if you are generating thousands of tokens per minute. Option 2 is best for high-volume use cases because with Option 1, you might run into rate limits if you are calling the Stream endpoint thousands of times per minute.

Thanks for the help @zaid I’m encountering one weird issue, the videos are playing fine on most devices however on certain devices (iPad) the video won’t load for some reason. I usually see the first scene or second before it interrupts and gets stuck on loading. I’m using the video.js player (iframe player works fine regardless of device). Do you have any ideas about what could be the cause and how I could solve this issue?

1 Like

Hi, this is likely related to an issue with the latest iOS that results in a black screen in certain cases. The Stream Player has a built-in workaround and that is why you might not be seeing the issue with the iframe embed code from Stream; but do see the issue when you use 3rd party players like videojs.

I would recommend using the Stream Player if possible.

thanks for the tips @zaid That’s a bummer, video js is working fine when using other solutions. Stream player is unfortunately not an option since I need a little more functionality/customization options and getting the api player to work well with bubble has proven a bit too complicated for me.