Timed token works even after expiration


I am confused as to how to make a video stream time restricted. On my laravel php page a user can upload a video to Cloudflare stream and I save the video_id in a database.
A user who is sent a link may see the video, if he is logged in, but I dont want him to post a link to that video somewhere else.
The timed tokens seemed to be the right thing but they dont work for some reason.

When the user visits my page I get a timed token from cf-stream:

$headers = [
    'Content-Type' => 'application/json;charset=UTF-8',
    'Authorization' => 'Bearer '.<myBearerKey>,

$body = [
    //limit viewing
    'exp' => floor(Carbon::now()->addHour()->valueOf() / 1000),
$response = Http::async()->connectTimeout(10)->withHeaders($headers)->post($apiURL, $body)->wait();

I get the token and can use it instead of the video_id to show the video in the iframe-stream-player. But it works even after the expiration limit is reached.

Does it only work for videos, which have the “requireSignedURLS” flag set to true? If so, can I make all videos as a default require signed urls?

I was unable to set that flag in the same post with which the video is uploaded and it seemed weird to have to make another seperate query for that for each new video after it is uploaded.

Your help is appreciated :slight_smile:
Regards Markus

You need to enable signed URLs for the token to work.

Since video ids are effectively public within signed URLs, you will need to turn on requireSignedURLs on for your videos. This option will prevent any public links, such as watch.cloudflarestream.com/<VIDEO_UID>, from working.

Restricting viewing can be done by updating the video’s metadata.

See: Secure your Stream · Cloudflare Stream docs

Is there a way to set (not update) the meta with the upload post query or to set requireSignedURLs as a default for all videos?
Otherwise the video would be public until my Meta Update Query comes through which should not be a long time, but if an error occurs…

Not that I am aware of. The only way is what is documented currently. Let me check with our stream team as that would be a very good feature

The stream team has confirmed this is currently not possible, however they are aware of the ask and hopefully will be available in the future.

Thank you very much for your help!
I am seeing forward to future features. :slight_smile:

Regards Markus

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.