Overview: DRM with Playback Authorization Service

In this topic, you will learn how to add an extra layer of security by using Brightcove's Playback Authorization Service (PAS) with videos ingested for Dynamic Delivery.


Brightcove's Playback Authorization Service (PAS) offers an extra level of security when delivering DRM-protected content with Dynamic Delivery. This is particularly useful for customers who want to control access to their content, and prevent unauthorized sharing of content.

PAS allows customers to create, delete, and blacklist access tokens with a series of configuration variables based on their own business logic, such as viewer permissions. This prevents license information from being shared with 3rd parties.

This feature is available for Subscription Video-On-Demand (SVOD) customers who are willing to implement a middleware solution between their User Management System (UMS) and Brightcove's playback service.

For more details about the Playback Authorization Service, see the following:

Account setup

Make sure your account is set up for Dynamic Delivery. Then, contact your account manager to enable your account for Brightcove's Playback Authorization Service.


Brightcove's Playback Authorization Service is a regionally deployed service. Customers will have to manage viewer access permissions through an external User Management System (UMS) and integrated with PAS through a middleware application.

PAS provides two use cases for customers:

  • Securing DRM License Requests
    Using tokens with DRM-protected content, PAS will authorize requests based on user or session information to allow or deny access to the DRM licenses.

  • Securing Encryption Keys
    Using tokens with HLSe content, PAS will authorize requests based on user or session information to allow or deny access to the encryption keys and improve security on standard encryption.

PAS is not an out-of-the-box solution. It requires the customer to implement a middleware solution between a User Management System (UMS) and Brightcove's Playback Authorization Service. This integration can be done with the Brightcove Global Services (BGS) team or DIY by the customer.

PAS supports the ability to pass a signed set of content protection options and grant a DRM license or Advanced Encryption Standard (AES) key if these protection options are valid.

Publishers create a JSON Web Token (JWT). This token is passed with the playback request. If the token is invalid or expired, access to the content will be restricted.

The token expiration must be specified, and it cannot have a value greater than 30 days.