Enable DRM with JW Stream

Learn a simplified approach to protecting your content with DRM.

As an alternative to managing settings within the player settings, JW Player provides a simplified approach to protecting your content with industry-standard Digital Rights Management (DRM). By enabling DRM on a property from your JW Player dashboard, the complex aspects of DRM management are managed by JW Player on your behalf:

  • Several configured DRM Policies
  • DRM license generation and management for Widevine, PlayReady, and Fairplay DRM solutions
  • License delivery services for content playback on any device

With JW Player managing the technical aspects of DRM, you can focus on the design and implementation of engaging content experiences.


DRM entitlementContact your JW Player representative to learn more about having DRM with JW Stream enabled for your account
Embedded playerFor these instructions for adding a player library
Fairplay Streaming Deployment packageSee: Enabling Apple Fairplay Streaming

Enabling Apple Fairplay Streaming

If you want to use Apple FairPlay DRM, you must get a FairPlay Streaming Deployment package from Apple and upload the credentials to each DRM-enabled property in your JW dashboard.



You can use the same Fairplay Deployment package on all your properties, but you must upload the package to each property, explicitly.

Acquire Fairplay credentials

You must have the FairPlay credentials listed in the following table.

Encoded *.p12 keystore fileThe *.p12 keystore file must contain your FPS Deployment certificate and private key. This file must be password-protected (be sure to password-protect the whole file, NOT just the private key)
ASKApp secret key

To create the .p12 keystore file in OpenSSL, use the following commands:

$ openssl pkcs12 -export -out NAME.p12 -inkey PRIVATE_KEY.pem -in CERT.pem -passout pass:PASSWORD

Add Fairplay credentials to a property

  1. From the property list page, click on the name of a DRM-enabled property.
  2. On the Content Protection tab, click Add FPS Credentials to add your credentials to the property. Repeat this step for all the DRM-enabled properties on which you want to enable Fairplay.

High-Level Workflow Overview

The following high-level workflow illustrates how to request and play DRM content.


High-Level Workflow Explained

  1. Create a new property in your JW account and enable DRM on the property. Four predefined DRM policies (see the section later in this guide) are created in the property, and content URL signing is automatically enabled on the property.

  2. Upload content to the new DRM-enabled property.

  3. The content is transcoded, and a unique mediaID and other metadata are created as with any media uploaded to JW Platform.

  4. Your application makes a signed API request to the JW Delivery API to get a single-item playlist that contains DRM media URLs and license acquisition URLs (LA_URL) for a mediaID.

    NOTE: All DRM API requests must use HTTPS. DRM is not supported over HTTP connections.

  5. Pass the media URL and LA_URL (plus certificate URL if using FairPlay) to your player configuration.

    NOTE: If you are using a JW Player HTML5 player in your application, the whole response can be passed directly to the player's setup configuration. For other players, consult the player's DRM configuration documentation.

  6. When playback is initiated, the player sends an encrypted DRM license request to the JW Delivery API.

  7. The JW Delivery API returns the DRM license to the player.

  8. If the device satisfies the policy restrictions in the license, playback begins. If the device does not satisfy the restrictions, the player reports an error.

Property Setup

DRM in JW Stream requires the creation of a new property (called Sites in the JW Management API).

To enhance the security of your content, the new DRM-enabled property will be preconfigured with the following:

  • JWT token signing enabled to protect license acquisition URLs
  • DRM content copy restrictions to prevent content transfers to account properties without DRM encryption enabled
  • Four predefined DRM policies

Enable a property

Use the following steps to create a DRM-enabled property:

  1. On the Property page, click Create. A pop-up window appears.
  2. Enter a Name in the text box.
  3. Under Digital Rights Management, click the Enable protection checkbox.
  4. Click Create. The new property is created and a list of the properties in your account appears.
  5. Upload your content to the new property. Your content must be hosted by JW Player in your JW Platform library.

DRM Content Playback

Sample code

The following code samples can be used as the foundation for your DRM implementation.

This script demonstrates how to generate a signed URL for requesting DRM assets from the JW Delivery API. 
It takes three arguments, a Media ID, a DRM Policy ID, and the V1 API secret (available in the 
API Credentials area of your JW Dashboard) for your DRM-enabled property. The signed URL will be 
printed to your terminal.


1.) Create and activate a Python virtual environment:
    - $ python3 -m venv venv
    - $ source venv/bin/activate
2.) Install `jose`, a JWT library
    - $ pip3 install python-jose
3.) Run script.
    - $ python3 jw_drm.py {media_id} {drm_policy_id} {v1_api_property_secret}

import argparse
import json
import math
import time
from urllib.parse import urlparse

from jose import jwt

def generate_jwt_token(path: str, api_secret: str):
    Generates JWT token for given request path
    # Generate epoch timestamp of now + 1 hour for link expiration. 
    exp = math.ceil((time.time() + 60))
    params = {"resource": path, "exp": exp, }
    return jwt.encode(params, api_secret, algorithm="HS256")

def generate_signed_drm_url(media_id: str, drm_policy_id: str, api_secret: str):
    Generates a signed URL which can be used to fetch a DRM-protected media asset
    path = f"/v2/media/{media_id}/drm/{drm_policy_id}"
    token = generate_jwt_token(path, api_secret)
    return f"https://cdn.jwplayer.com{path}?token={token}"

if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument("media_id", help="Media ID to request")
    parser.add_argument("drm_policy_id", help="DRM Policy settings to apply to session")
    parser.add_argument("api_secret", help="V1 API Secret for DRM-enabled property")
    args = parser.parse_args()
    signed_drm_url = generate_signed_drm_url(args.media_id, args.drm_policy_id, args.api_secret)


  1. Retrieve the JW Player content URL. JW Player content URLs have the following format: https://cdn.jwplayer.com/v2/media/{media_id}.
APIUse the following steps to retrieve the media_id for the URL:
   • Make a GET v2/sites/{sites_id}/media/ call.
   • Locate the key for a content item in the API response.
DashboardUse the following step to retrieve the media_id for the URL:
   • From your JW Player dashboard Media Library, copy the media ID from the MEDIA ID column.

  1. Retrieve the JW DRM Policy ID:
    • From the Properties page, click (property name) > Content Protections.
    • In the Digital Rights Management section, copy the DRM policy ID from the DRM Policies table.


Read DRM with JW Stream Policy Reference to learn more about the DRM Policies.

  1. Append the DRM Policy ID to the content URL.

  1. Sign the content URL by appending a JWT signature. We strongly recommend using a proxy service to generate JSON web tokens (JWTs). If you generate JWTs within client-side JavaScript or a native app, you risk exposing your API secret.

  1. Add the content URL to the playlist property in your player JSON setup.
<div id="myElement"></div>

<script type="text/JavaScript">
        "playlist": "https://cdn.jwplayer.com/v2/media/{media_id}/drm/{policy_id}?token={token}"


Which features change when a property is DRM-enabled?

Did this page help you?