Our focus is business video hosting. So all our packages include the option of restricting who can access your content. You can choose from various levels of privacy for your videos:
Being a private platform, we don’t have the equivalent of a YouTube search page listing videos uploaded by all users. But we know you may have some videos you want people to find. Setting a video as public means we add metatags to its embed code that let it be indexed by search engines. We also include video SEO tags that help the video stand out on Twitter and Facebook.
This is our default level of privacy: these videos can be watched by anyone but they would need to know the link to the video or have access to a page it is embedded on (such as on your website).
As the name suggests, these videos require the viewer to know the link and also know the password in order to watch a video. Since that password prompt is added by our player, videos that require a password can not be accessed externally by using the HLS .m3u8 link.
When a video requiring authentication is requested, whether on a landing page or embed code, our video CMS tries to authenticate the viewer. That determine whether or not it should show the video player. Currently we look for the presence of either a cookie (confirming the viewer is signed in to your account and thus authenticated), or, if a cookie is not present, a valid JSON Web Token (JWT).
A JSON Web Token (JWT) would be the method used to authenticate if your users have not gone via our sign-in process. You are responsible for issuing these tokens. So you would only issue one for viewers you have authenticated. As such using a JWT gives you greater control but it requires more development at your end to issue those JWTs.
If you do issue your own JWTs, you can also include custom claims to further restrict access. For example you can only accept requests using that JWT to certain IPs. Restricting to an IP is ideal for a corporate network. This checks whether the JWT was used from an IP address that is on your provided list/CIDR. If not, the player will not load.
A JWT can also be used to authenticate requests for the master HLS manifest. We provide that to let you use your own player, as you may have bespoke integration requirements, particular branding not covered by our standard player, or not need its additional functionality (like analytics). Since it uses Apple’s recommended HLS format, it uses adaptive bitrate to look great on all devices.
Alternatively a cookie is sent if the viewer is signed in to our system. That is why you are able to manage videos set as private within our online video platform, else it would not be possible to do so. It also works if a video is embedded on your own site using our provided embed code. That cookie can be set from our signin page or by using Single Sign-On (SAML2) if included in your package. Since Vidbeo is an enterprise video platform, larger organisations will often have an identity provider (such as Okta or Centrify). That can be used to see if the viewer is permitted to view the embedded content by checking to see if they are signed in to that external authentication provider.