License Token Tutorial


This document provides step-by-step instructions on how to generate tokens for the token-based license issuance, along with sample code.


Before you read this tutorial, please keep the following points in mind:

Where tokens are created

  • The creation of the token must be performed on the Content Management System (CMS) back-end server of the content service to which PallyCon Multi-DRM will be applied.
  • Generating tokens directly from within client-side JavaScript or mobile applications is a security risk and should be avoided.

How to use the created token

  • Before playing the DRM content on the client player, the CMS backend must determine whether the client or user is authorized to play. Then it generates a token with DRM license rules (time limit and security options) and pass it to the client.
  • The function of delivering the token data to the client should be implemented by the content service. Usually it is transmitted with the metadata (playback URL, DRM linked data, poster image, etc.) of the DRM contents to be played.

Sample codes and inputs

  • The sample code in this document is based on Node.JS. If you use any other server-side programming language, please refer to the sample code and implement the converted code yourself.
  • The various setting values shown in the sample code are for reference only. The generated token data in the sample code does not actually work.
  • To create a working token, you need to enter the setting value of your account after signing up to PallyCon service.

The step-by-step example code below can be run in a NodeJS application or in an online NodeJS IDE like JDoodle.

Step 1 - Input setting values

Prepare various input values required for license token generation as follows.

const AES_IV = "0123456789abcdef";
const siteInfo = {
  "siteId": "TUTO",
  "siteKey": "lU5D8s3PWoLls3PWFWkClULlFWk5D8oC",
  "accessKey": "LT2FVJDp2Xr018zf4Di6lzvNOv3DKP20"

let licenseInfo = {
  "drmType": "Widevine",
  "contentId": "bigbuckbunny",
  "userId": "test-user"

let licensePolicy = {
  "policy_version": 2,
  "playback_policy": {
    "persistent": false

console.log("license policy : " + JSON.stringify(licensePolicy));

Input value description

Name Format Description
AES_IV 16 bytes string “0123456789abcdef” (fixed value)
siteId 4 uppercase alphabet The ID of the service site registered on PallyCon Console site (check the PallyCon Console’s ‘Site Settings’ page)
siteKey 32 bytes base64 string Encryption key required for service site integration (check the PallyCon Console’s ‘Site Settings’ page)
accessKey 32 bytes base64 string Encryption key used for additional integration such as packager, license token, etc. (check the PallyCon Console’s ‘Site Settings’ page)
drmType Input one of these DRM. “NCG”, “Widevine”, “PlayReady”, “FairPlay” (case sensitive) Enter the type of DRM corresponding to the client environment. Refer to DRM Platform Support
contentId Max 200 alphanumeric characters The unique ID of the DRM content to play. Must be the same as the CID used to package the content.
userId Max 32 alphanumeric characters End-user’s ID which is managed by the content service. Input “LICENSETOKEN” if there is no user ID.

Value of drmType should be entered exactly in case according to the specification.

LicensePolicy JSON data is used to set the detailed policy for the content playback rights. This tutorial uses the default values as entered in the sample code above.

When you run Step 1 code, the following results are output to the browser console.

license policy : {"policy_version":2,playback_policy:{persistent:false}}

Step 2 - Encrypt license rule

Encrypt the license rules JSON string prepared in step 1 with AES256 algorithm and convert the result to a base64 string.

// Add the following code after step 1 code

const crypto = require("crypto");

const cipher = crypto.createCipheriv("aes-256-cbc", siteInfo.siteKey, AES_IV);
let encryptedPolicy = cipher.update(
encryptedPolicy +="base64");

console.log("encrypted policy : " + encryptedPolicy);

The following settings are used for AES encryption:

  • Encryption algorithm: AES256 CBC mode
  • Encryption key: The 32-byte PallyCon site key value entered in step 1
  • IV (Initial Vector): 16 byte AES_IV value entered in Step 1
  • Padding: pkcs7 (not shown in the above code because it is default)

AES encryption processing must use the appropriate libraries and APIs for each server-side programming language.

The execution result of the second stage code is as follows.

encrypted policy : sX7DEMZ1S2xaMoIt76m+yDwylZRVJ2Gzs2I1b0+mzL0X9FcJ43aAloqI5noG2iyC57AagPl2jY9mxCL/WqNabQ==

Step 3 - Create hash value

The hash value used to verify the integrity of the token data is generated as follows:

// Add the following code after step 2 code

const UTCTime = new Date().toISOString().replace(/\.\d{3}/gi, '');

let hashData = {
  siteId: siteInfo.siteId,
  accessKey: siteInfo.accessKey,
  drmType: licenseInfo.drmType,
  userId: licenseInfo.userId,
  cid: licenseInfo.contentId,
  policy: encryptedPolicy,
  timestamp: UTCTime

const hashInput =
  hashData.accessKey +
  hashData.drmType +
  hashData.siteId +
  hashData.userId +
  hashData.cid +
  hashData.policy +

console.log("hash input : " + hashInput);

let hashString = crypto

console.log("hash string : " + hashString);

The input value for generating a hash is a string of various configuration values, encrypted license rules, and current time information according to token specification.

The SHA256 algorithm is used to generate hash values, and the resulting value of the hash function must be entered into the base64 function as a binary data, without being converted to a string.

The result of the execution of Step 3 code is as follows.

hash input : LT2FVJDp2Xr018zf4Di6lzvNOv3DKP20WidevineTUTOtest-userbigbuckbunnysX7DEMZ1S2xaMoIt76m+yDwylZRVJ2Gzs2I1b0+mzL0X9FcJ43aAloqI5noG2iyC57AagPl2jY9mxCL/WqNabQ==2021-11-11T07:28:41Z

hash string : o6dD1qJbdrQvU86JUxZiKf8WBo0BH6oc+kN8CVNk2rM=

Step 4 - Create license token

Using the data prepared so far, create the license token as follows.

// Add the following code after step 3 code

let tokenData = {
  "drm_type": licenseInfo.drmType,
  "site_id": siteInfo.siteId,
  "user_id": licenseInfo.userId,
  "cid": licenseInfo.contentId,
  "policy": encryptedPolicy,
  "timestamp": UTCTime,
  "hash": hashString, 
  "response_format": "original",
  "key_rotation": false

console.log("token json : " + JSON.stringify(tokenData));

let base64Token = Buffer.from(JSON.stringify(tokenData)).toString("base64");

console.log("base64 encoded token : " + base64Token);

First, JSON data is created by combining various input values and encrypted license rules, timestamps, and hash values according to the token specification. Converting the corresponding JSON data to a Base64 string completes the token for the client to use for DRM license requests.

The result of executing the 4th step code is as follows.

token json : {"drm_type":"Widevine","site_id":"TUTO","user_id":"test-user","cid":"bigbuckbunny","policy":"sX7DEMZ1S2xaMoIt76m+yDwylZRVJ2Gzs2I1b0+mzL0X9FcJ43aAloqI5noG2iyC57AagPl2jY9mxCL/WqNabQ==","timestamp":"2021-11-11T07:28:41Z","hash":"o6dD1qJbdrQvU86JUxZiKf8WBo0BH6oc+kN8CVNk2rM=","response_format":"original","key_rotation":false}

base64 encoded token : eyJkcm1fdHlwZSI6IldpZGV2aW5lIiwic2l0ZV9pZCI6IlRVVE8iLCJ1c2VyX2lkIjoidGVzdC11c2VyIiwiY2lkIjoiYmlnYnVja2J1bm55IiwicG9saWN5Ijoic1g3REVNWjFTMnhhTW9JdDc2bSt5RHd5bFpSVkoyR3pzMkkxYjArbXpMMFg5RmNKNDNhQWxvcUk1bm9HMml5QzU3QWFnUGwyalk5bXhDTC9XcU5hYlE9PSIsInRpbWVzdGFtcCI6IjIwMjEtMTEtMTFUMDc6Mjg6NDFaIiwiaGFzaCI6Im82ZEQxcUpiZHJRdlU4NkpVeFppS2Y4V0JvMEJINm9jK2tOOENWTmsyck09IiwicmVzcG9uc2VfZm9ybWF0Ijoib3JpZ2luYWwiLCJrZXlfcm90YXRpb24iOmZhbHNlfQ==

This completes the license token tutorial.

To play the actual DRM content using the created token, please refer to the Bitmovin HTML5 Player Tutorial posted on the PallyCon blog site.