Guides
Talk to Us

Widevine Claims

Suggest Edits

The claims in this section apply only to Widevine objects.

Security Policy

Security policies within the token are assigned unique IDs by a UUID. The claims must be within a "widevine" object.

Example Widevine Security Policy

"security_policy":{
"EB119443-186B-4DEA-A7B7-8E5089FDD6B6":{
"widevine":{
"security_level":5,
"required_output_protection":{
"hdcp":"HDCP_V1",
"disable_analog_output":true,
"cgms_flags":"COPY_NEVER"
}
}
}
}

In the above example:

  • The security level is 5, which mandates hardware secure decrypt and decode.
  • HDCP v1 output protection is on.
  • Analog output is disabled.
  • The security policy is assigned the ID: EB119443-186B-4DEA-A7B7-8E5089FDD6B6. This would need to be assigned as either a track or default security policy.

"security_level" claim

Optional. The "security_level" robustness requirements for playback. This is an integer that specifies the minimum required security level, where 1 is the lowest level and 5 is the highest. Widevine Device Security Level 1 requires full hardware security.

Default: 1

The following table describes how security_level values map to Widevine Device Security Level values.

Security_LevelDefinitionWidevine Device Security Level
1Software based white box crypto is required. (SW_SECURE_CRYPTO)3
2Software crypto and an obfuscated decoder is required. (SW_SECURE_DECODE)3
3The key material and crypto operations must be performed within a hardware backed trusted execution environment. (HW_SECURE_CRYPTO)2
4The crypto and decoding of content must be performed within a hardware backed trusted execution environment. (HW_SECURE_DECODE)1
5The crypto, decoding and all handling of the media (compressed and uncompressed) must be handled within a hardware backed trusted execution environment. (HW_SECURE_ALL)1

"required_output_protection" claim

Optional. The "required_output_protection" claim is an object that defines security to be applied to the output of the decoded video stream. The claim is a child of the Widevine security policy claim.

"hdcp" claim

Optional. The required HDCP level of the output device. It is a child of the "required_output_protection" claim. The claim is a string from the following table.
Default: HDCP_NONE

HDCPApplies to Widevine Device Security LevelDescription
HDCP_NONE3HDCP not specified. Enforce HDCP 1.x
HDCP_V11Playback not allowed if client does not report HDCP 1.x or better. Enforce HDCP 2.0
HDCP_V21Playback not allowed if client does not report HDCP 2.0 or better. Enforce HDCP 2.1
HDCP_V2_11Playback not allowed if client does not report HDCP 2.1 or better. Enforce HDCP 2.2
HDCP_V2_21Playback not allowed if client does not report HDCP 2.2 or better. Enforce HDCP 2.3
HDCP_V2_31Playback not allowed if client does not report HDCP 2.3 or better.
HDCP_NO_DIGITAL_OUTPUT1No digital output allowed, including HDCP. Internal display only.

"disable_analog_output" claim

Optional. The "disable_analog_output" claim is a child of the "required_output_protection" claim. It is a Boolean value that defines if the device is allowed to output analog video.

Default: False

"cgms_flags" claim

Optional. The "cgms_flags" claim is a child of the "required_output_protection" policy claim. It is a string value that defines if Copy Generation Management System flags are set. This MUST not be defined for desktop browsers.

Default: CGMS_NONE

CGMS_FLAGSDefinition
CGMS_NONENo copies may be made of the content
COPY_FREEUnlimited copies may be made of the content
COPY_ONCEOne generation of copies may be made
COPY_NEVERNo copies may be made of the content

"hdcp_srm_rule" claim

Optional. The "hdcp_srm_rule" claim is a child of the "required_output_protection" security policy claim. It is a string value that ensures that keys are not allowed to devices with older System Renewability Messages (SRMs) within the HDCP 2.0 specification. Values are one of the following:

  • "HDCP_SRM_RULE_NONE"
  • "CURRENT_SRM"

Use of "CURRENT_SRM" will not allow the key to devices with an older SRM and cannot be updated.

Default: HDCP_SRM_RULE_NONE

Playback Policy

Playback policies are applied across the entire asset. The claims must be within a "widevine" object.
Example Widevine Playback Policy
"policy": {
"widevine": {
"can_play": true,
"can_persist": true,
"license_duration_seconds": 3600
}
}

"can_play" claim

Optional. The "can_play" claim is a child of the Widevine policy claim. It is a boolean object that indicates if playback of the content is allowed.
Default: True

"can_persist" claim

Optional. The "can_persist" claim is a child of the Widevine policy claim. It is a boolean object that indicates if the license may be persisted for non-volatile offline use.
Default: False

"can_renew" claim

Optional. The "can_renew" claim is a child of the Widevine policy claim. It is a boolean object that indicates if the license may be renewed. If true, the DRM client sends a license request to fetch a new license before the existing license expires.
Default: False

"license_duration_seconds" clam

Optional. The "license_duration_seconds" claim is a child of the Widevine policy claim. Indicates the time window for this specific license. A value of 0 indicates unlimited.

Default: 0

"override_device_revocation" claim

Optional. The "override_device_revocation" claim is a child of the Widevine policy claim. It is a boolean object. When "override_device_revocation" is True, Widevine devices marked as "Revoked" can still be used. However, the device security may be compromised.

Default: False

"playback_duration_seconds" claim

Optional. The "playback_duration_seconds" claim is a child of the Widevine policy claim. Indicates the window of time once playback starts within the license duration. A value of 0 indicates unlimited.

Default: 0

"rental_duration_seconds" claim

Optional. The "rental_duration_seconds" claim is a child of the Widevine policy claim. Indicates the window of time while playback is permitted. A value of 0 indicates unlimited.
Default: 0

Updated over 1 year ago

What’s Next