Apple FairPlay

The Ooyala Player API for Apple FairPlay provides server-side support for Apple's FairPlay Streaming (FPS) by processing an FPS key request and returning a key response (CKC). Once you send your FPS credentials to Ooyala, at runtime your asset gets its CKC using Player API routes.

Note: Apple FairPlay Streaming is supported in Mobile SDK for iOS v4.13.0, see Mobile SDK for iOS.

Information Required for Key Retrieval During Playback

You must request a deployment package from Apple to use Fairplay Streaming (FPS). This requires you to have an Apple developer account belonging to your organization. See on how to get an Apple developer account. After you establish an Apple developer account, you can request an FPS deployment package from this page

After you obtain a deployment package from Apple, send these items to Ooyala to use Ooyala's server for FPS key retrieval during playback.

  1. Your FPS application secret.
  2. Your FPS RSA private key in PEM (Privacy-enhanced Electronic Mail) format.
  3. Your FPS public key certificate in DER (Distinguished Encoding Rules) format.

Items 1 and 2 are confidential and must not be sent unencrypted via email or text. You must use PGP encryption to send the FPS application secret and FPS RSA private key to Ooyala. See

Player API

The route is used for FPS support during playback.

To get your public certificate use the following route using your provider code as pcode:
[GET] /sas/fps/pcode/certificate
This API call needs to be signed in the same way as the calls to the Backlot API. Signing is explained at General Algorithm for Signing Requests.

The response is JSON with the following structure:

{ "certificate" : "URL-safe base64 encoded certificate" } 

If the request succeeds, the response status 200 is returned.

Upon the decoding of the URL-safe base64 decoding, the value of the certificate field will be your public certificate in DER format. If an error occurs, the response will be the following JSON:
"error" : "error message"

The error message will be a specific reason why the request failed.

To request a CKC (Content Key Context):

POST /sas/fps/pcode/key

The body of the POST request must be JSON with the fields:

  "asset_id" : "key id from manifest file",
  "spc" : "base64 encoded spc",
  "auth_token" : "auth token returned during authorization request"

The m3u8 manifest file will have the following tags:


The asset_id is the portion after skd:// in the URI tag. In this case it is key65.

The response is JSON with the following structure:

{ "ckc" : "url safe base64 encoded ckc" }

If the request is successful, the status code 200 is returned.

If the request fails, a non-200 status code is returned.

{ "error": "error message" }

The error message will be a specific reason why the request failed.


If you are also doing your own Fairplay video packaging, please see the following page for the setup you will need DRM Attributes for Remote Assets (Including Live Streams). You also need to make sure that the value of the asset_id field in the m3u8 manifest files is set to the embed code for that asset.


The following table describes the parameters of the routes.
Parameter Description Required?
pcode The provider code for your account. Yes
asset_id The asset_id obtained from the m3u8 manifest file for the asset. In the m3u8 manifest file the asset_id is the portion after skd:// in the URI tag. Yes
spc The SPC (Server Playback Context) generated by your app. The SPC must be generated according to the specification published by Apple. The SPC must be URL-safe base64 encoded. Making a base64 encoded value URL safe involves substituting + with - and / with _. See more about this here Yes
auth_token This is the token returned by Ooyala’s playback Authorization API. The Authorization API is used by Ooyala's players to get the URL pointing to the content. The Authorization API is described in Player Authorization API for Player V3 (Deprecated). This parameter is required only if the asset being played requires the Ooyala Player Token (OPT) restriction. Because FPS is used for premium content, you should use OPT for those assets. (Available only if your Ooyala account includes this functionality. To enable Ooyala Player Token, contact your account manager.) No

Configuring an iOS Client to Play FairPlay Content

To decrypt and play FairPlay content, your code must assign an OOEmbeddedSecureURLGenerator object to the OOOptions object used by the OOOoyalaPlayer.
  1. Create an OOOptions object.
  2. Create an OOEmbeddedSecureURLGenerator object and assign it to the OOOptions.secureURLGenerator property. The OOEmbeddedSecureURLGenerator object contains the API Key and secret generated on the server.
  3. Pass the OOOptions object to the OOOoyalaPlayer object.
For example, the following code assigns the created OOEmbeddedSecureURLGenerator object to the OOOptions.secureURLGenerator property:
  OOOptions *options = [OOOptions new];
  options.secureURLGenerator = [
    [OOEmbeddedSecureURLGenerator alloc] 

  // Create Ooyala ViewController, with self as the embed token generator
  OOOoyalaPlayer *player = [
    [OOOoyalaPlayer alloc] 
        [OOPlayerDomain alloc]
Note: For production environments, the API Key and Secret must be generated on the server and dynamically assigned to the fields contained in the OOEmbeddedSecureURLGenerator object. They must not be stored in your code as static values.

For a complete example, see the Content Protection Sample App.