When you upload a video, by default we set its privacy as private. That works well for most people and may be sufficient for you since we do not have the equivalent of a YouTube search page (whereby anybody in the world can see any video uploaded by any user). A private video has a noindex metatag to ask search engines (primarily Google) to not index it. And has no social meta tags. So to watch a private video, someone would have to know its unique link ID or have access to a page it has been embedded on.
A higher level of privacy is achieved by setting a video’s privacy as password or further still using authenticated. That means it requires authentication to watch.
There are currently two ways a viewer can be authenticated: using a valid cookie or a JSON Web Token (JWT). So if you set a video as authenticated, make sure all viewers you want to watch your content are presenting one of these:
A JWT sounds complicated but essentially it is just a commonly agreed standard for passing claims between parties. In this case between you and us. You pass one in the link to a landing page, embed code, or HLS manifest. That token proves the request should be approved and so the video shown. A missing or invalid JWT will mean a request for a video requiring authentication is rejected.
Since the JWT is made by you, we need a way to know the JWT being sent really was made by you. We currently do that using a public/private key. You create a public/private key pair. You keep your private key safe and secure. You provide us with the public key (on the JWT keys page within our video CMS). We then use that to make sure the JWT sent in a URL was indeed signed by you. We do that by checking its signature is correct.
Since you are creating the JWT, you may want to further restrict access. You can do that using custom claims. For example specify the IP(s) that the JWT can be used from. And if you do that, as well as making sure the JWT was signed by you, we also check the request for the video came from a permitted IP.
To find out how to make one, please see our guide: How do I create a JWT?.
A cookie is made by us. It is a small file we set when a user identifies themselves as belonging to an account. So that is either done by signing in using our sign-in form, entering an email and password, or by using an external identity provider (such as Okta or Centrify) along with single sign-on (SAML2).
Once the user is identified, we set a cookie, and our landing pages and embed codes can then see that. Which means videos belonging to that account will be shown.
That is how you are able to watch videos that are set as authenticated within our video CMS: a cookie is sent that authenticates you. Else you would not be able to manage those videos.
Updated: September 25, 2023