Ooyala Account Token API

Access to certain Ooyala services, such as eCommerce and Watchlist, is controlled using an Ooyala Account Token. The Ooyala Account Token API generates an account token to authenticate a user. When calling these APIs, the client is required to provide the account token for authentication. After your application has logged in a user, it calls the Ooyala Account Token API route to get the account token. The account token is valid for a specific amount of time, 15 minutes by default.

API Route

The following route retrieves the account token:

POST https://player.ooyala.com/authentication/v1/providers/pcode/gigya?uid=user_id&signatureTimestamp=timestamp&UIDSignature=signature


The following variables must be substituted with their actual values.
Note: If you use Gigya for identity management, the values for user_id, timestamp and signature can be obtained using Gigya's API. Contact your Ooyala Customer Support Manager for information on integration with Gigya.
Parameter Description
pcode The provider code for your Ooyala account.
user_id The unique identifier you use to identify your end user.
timestamp The UNIX timestamp (seconds since epoch) in UTC time at which the request expires. The request is rejected if this timestamp is in the past or more than 3 minutes into the future.
signature The URI escaped, base64 encoded signature computed using the algorithm described below.

The JSON response returns the account token and its expiration time:

   “account_token” : “an opaque string”,
   “expires” : “time at which the token expires”


POST https://player.ooyala.com/authentication/v1/providers/mypcode/gigya?uid=1234abcde&signatureTimestamp=1457727984&UIDSignature=d%2FN%FP0wMSel7ptE%3D


   “account_token” : “Xvrw4qxPYCidlM”,
   “expires” : “2014-03-02T23:20:19+00:00”

If the request fails, a non-200 status code is returned. The body of the response contains only the error message, which will be the specific reason why the request failed such as Invalid signature.

Before Generating a Secret Key and Signature

If you are using Gigya for identity management, please contact your Ooyala Customer Support Manager to guide you on how to get the secret key and signature.

Note: If you are NOT using Gigya, follow the following procedures for generating a secret key and a signature.

Generate a Secret Key

Constructing the signature requires a secret key. This secret key should be the base64-encoded version of a 32-byte value.

Example secret key: Khs41aqNVOcfZRLViNajqvIDDirO2fn3VhhWGKgBT8g=. This exact value should never be used in an your implementation since this is publicly documented here. You are required to generate your own.

To create a secret key for use in the signature, use the following command on a UNIX or Mac machine:

openssl rand -base64 32

Before you share a secret key with Ooyala, you must setup email encryption and send your public key certificate to Ooyala. You can then send the secret key for the signature to Ooyala via a PGP-encrypted email. See https://ssd.eff.org/en/module/how-use-pgp-mac-os-x.

Generate a Signature

To create the base64 signature, work on the server side so your secret key can be used safely.

  1. Create a base string of timestamp_uid. Replace timestamp and uid (user_id) with their corresponding values.
  2. Convert this string into a binary array using UTF-8 encoding.
  3. Convert the base64 secret key into a binary array.
  4. Using your converted base string and converted secret key, calculate the cryptographic signature with the HMAC-SHA1 algorithm. The response is a binary array containing the signature.
  5. Convert the signature array into a base64 string.

Example Ruby code:

def generate_signature(uid, secret, timestamp) 
    base_string = "#{timestamp}_#{uid}"
    key = secret.unpack("m0").first      
    signature = OpenSSL::HMAC.digest("sha1", key, base_string)