Page is under construction.
Check the github issues for ways to contribute! Or provide your feedback in this quick form
Check the github issues for ways to contribute! Or provide your feedback in this quick form
Authentication
Livepeer API uses API keys to verify and authorize requests. You can manage and review your API keys through Livepeer Studio. You need to pass your API key in theAuthorization header with a Bearer prefix while sending a request.
CORS-Enabled Keys
Studio supports the creation of CORS-enabled API keys. This is a special option when generating an API key which allows a webpage to make requests directly to Studio, as opposed to coming from your backend.Security with CORS Keys
The security model is different for CORS-enabled API keys. Since any user has access to these keys, the IDs of assets and streams must be kept secret from anyone who should not have admin control over them. For instance, a viewer should only have access to the playback ID, since knowing the asset ID (together with the CORS-enabled API key, which is embedded in the webpage) allows them to make changes to the asset. This is the same for streams - if a user has access to a stream ID alongside the CORS API key, they can modify the stream or view the stream key. If a viewer had access to the stream ID + CORS API key, they could hijack the stream. AplaybackId should be exposed to the viewer only.
Best Practices
- Use backend API keys by default - Only use CORS-enabled keys when absolutely necessary
- Never commit API keys - Use environment variables or secure secret management
- Rotate keys regularly - Especially if you suspect a key has been compromised
- Use separate keys - Different keys for development and production environments