Skip to main content
Both access control methods require setting a playbackPolicy on stream or asset creation. Without a playback policy, content is publicly playable by anyone with the playback URL.

JWT vs webhook

JWT access control

Step 1 — Create a signing key

Create a signing key pair in Studio under Settings > Signing Keys, or via API:
Store the private key in your secrets manager. It is shown only once.

Step 2 — Create a gated stream or asset

Step 3 — Sign a JWT (server-side API route)

The JWT must be signed server-side. Never sign tokens in browser code.

Step 4 — Pass the JWT to the player

The Player sends the JWT in the Livepeer-Jwt header for WebRTC and HLS requests, and as a jwt query parameter for MP4. For custom players, add the header manually:

Webhook access control

Create a gated stream with webhook type and a reference to your webhook:
Your webhook endpoint receives a POST with the viewer’s request details and must respond within 250 milliseconds:

Create a Livestream

Create streams with or without playback policies.

Webhooks

Full webhook setup, signature verification, and event types.
Last modified on May 22, 2026