When you upload a video, by default we set its privacy as unlisted. That works well for most people and so may be sufficient for you to leave it at that. It is a balance of privacy. We do not have the equivalent of a YouTube search page (whereby anybody in the world can see any video uploaded by any user). Therefore ‘unlisted’ perhaps is not the best name. But we chose it because we felt its meaning would be known by those users familiar with YouTube. It has the same meaning in that someone has to know the link to the video (or have access to a page it is embedded on) in order to watch it. An unlisted video has no social meta tags added. And we add a noindex metatag to ask search engines (primarily Google) to not index it.

However the highest level of privacy is achieved by setting a video’s privacy as private. A private video requires authentication to watch. There are currently two ways a viewer can be authenticated: using a valid cookie or a verified JSON Web Token (JWT). So if you make your video private, make sure viewers you want to watch your content are presenting one of those.

So where do they come from?

A cookie is made by us. It is a small file we set when a user identifies themselves as belonging to an account. So that is either done by signing in using our sign-in form, entering an email and password, or by using an external identity provider (such as Okta or Centrify) along with single sign-on (SAML2).

Once the user is identified, we set a cookie, and our landing pages and embed codes can then see that. And so private videos belonging to that account will be shown.

That is how you are able to watch videos that are set as private within our video CMS: a cookie is sent that authenticates you. Else you would not be able to manage private videos.

How is a JWT generated?

A JWT is made by you. It is a long series of letters and numbers that you pass in the URL to a landing page, embed code, or HLS manifest, in the token parameter. That JWT proves the request should be approved and a private video shown. A missing or invalid JWT will mean a request for a private video is rejected.

However since the JWT is made by you, we need a way to know the JWT being sent really was made by you. We do that using a public/private key. You create a public/private key pair. And keep your private key safe and secure. You provide us with the public key (on the JWT keys page in our video CMS). And we then use that to make sure the JWT you send in the URL was signed by you. And so we then know it’s safe to show the private video.

Since you are creating the JWT, you may want to further restrict access. You can do that using custom claims. We support restricting access by IP or by country. Specify the IP(s) or countries that the JWT can be used from. And if you do that, as well as making sure the JWT was signed by you, we also check the request for the private video came from a permitted IP or country.