Secure MP3/AAC or HLS streams by single key

This guide explains how to maintain control over your Streaming Radio MP3/AAC or HLS by activating single key protection (token) to decide e.g. whether a listener can listen to your radio or not.

Preamble

The principle is simple: at each connection, you will make a request to the Infomaniak API which will return you in return a unique token with a limited and adjustable lifespan. This token will allow anyone who owns it to consume the flow during this period.
You can protect an MP3/AAC or HLS stream independently of each other (idem for geolocation elsewhere).
The activation of the restriction implies a change in the flow configuration which can take a few minutes to be replicated on the servers.

Protecting a single key audio stream

To do this, just go to the restrictions settings and activate the protection by token on the stream you want to secure:

Click here in order to access the management of your product on the Manager Infomaniak (Need help?).
Click directly on the nameallocated to the product concerned.
Click on the name of the audio stream concerned.
Click on Restrictions in the left side menu.
Choose HLS if necessary.
Click on the action menu ⋮located to the right of the element concerned.
Click on Restriction by token:

Then activate the protection.

Be careful, when you enable this option, access to the stream will be instantly blocked for new connections. Adapt your Players to take into account the restriction, as illustrated in the example below:

Create a token API Radio

To access the Radio API, you must first authenticate with a token application. This step is only to be done once. To create this application token, read this guide.

The scope is radio and unlimited life to avoid having to regenerate a code on a regular basis. Once the token is generated, copy it to paste it into the example below.

Example of use in PHP language

For MP3/AAC or HLS, the code can be substantially the same, only the URL called in POST changes in its form.

Paste the generated token in place of the indicated token below:

if (!defined('API_TOKEN')) {
     define('API_TOKEN', 'AYF5lSh3c7Xy5974Fs12RTkTThujT-L9R4Xk2ZfGyP6sV7QqJ1oC3jD8nFtKzIxUeMw5oNzR6');
}
/**
 * Fonction générique pour executer des requêtes cURL
 *
 * @param string $method Méthode HTTP (GET, POST, PUT, etc...)
 * @param string $url Url de l'api a requêter
 * @param array $headers Liste des en-têtes HTTP (l'autorisation doit être passée ici avec un ['Authorization: Bearer ']
 * @param array $payload Un tableau contenant les données pour créer un token
 * @return mixed
 */

function request(string $method, string $url, array $headers = [], array $payload = []): mixed{
    // prepare options array
    $opts = [
        CURLOPT_HTTPHEADER => $headers,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_URL => $url,
        CURLOPT_CUSTOMREQUEST => strtoupper($method),
    ];

    // add payload if relevant
    if ($payload && $method !== 'GET') {
        $opts[CURLOPT_POSTFIELDS] = json_encode($payload);
    }
    $ch = curl_init();
    curl_setopt_array($ch, $opts);
    $result = curl_exec($ch);
    if(curl_errno($ch)){
        throw new Exception(curl_error($ch));
    }
    $data = json_decode($result, true);
    if ($data['result'] === 'error') {
        throw new Exception($data['error']['description'] ?? 'an error occured');

    }
    return $data['data'];
}

We're going to create the token, the token creation URL is broken down as follows:

For an MP3 / AAC stream

POST https://api.infomaniak.com/1/radios/acl/streams/mountpoint.mp3/token

Example to protect https://newradiotest.ice.infomaniak.ch/newradiotest-128.aac the road will be: https://api.infomaniak.com/1/radios/acl/streams/newradiotest-128.aac/token

For an HLS stream

POST https://api.infomaniak.com/1/radios/acl/hls_streams/<stream>/token

Example to protect https://myradiostream.radiohls.infomaniak.com/myradiostream/manifest.m3u8 the road will be: https://api.infomaniak.com/1/radios/acl/hls_streams/myradiostream/token

Example in the case of MP3 / AAFC, consider adjusting:

$token = request(
    'POST',
   'https://api.infomaniak.com/1/radios/acl/streams/newradiotest-128.aac/token',
    // en-tête d'authorization
    [
        'Authorization: Bearer ' . API_TOKEN,
        'Content-Type: application/json',
    ],
    /**
     * payload pour créer le token, vous pouvez passer les valeurs suivantes
     * window     | 300               | optionnel | durée de validité du token (default: 5 minutes)
     */

    [
        'window' => 3600, // 1h validity
    ]
);

It is important to note that if this code is generated when loading the page, the listener will have "window" seconds to start reading the stream. Beyond this time, the token will expire, and the stream will no longer be launched unless the page is reloaded. Depending on your needs and your use case, it will be necessary to adjust this time frame in the best possible way.

You will also need to replace below the URL to read your stream instead of the one indicated while keeping the parameter $token At the end. And finally, we show the Player (here a simple html5 tag, but of course we can add any overlay after that, the token being passed in the settings) $_GET of the url).

$streamUrl = "https://newradiotest.ice.infomaniak.ch/newradiotest-128.aac?$token";
echo "<audio controls=""><source src="$streamUrl"></audio>";

Link to this FAQ:

Display all FAQs for this product