Your Users, Your Accounts: Security

User account ids are distinct per provider. Two different providers can have a user with the same name, but these are treated as distinct users. The account_id you use with Ooyala APIs must be unique in your own systems. For privacy, Ooyala encourages that the value of account_id be some sort of GUID (global unique identifier), rather than a plain-text username or email address. For example, an acceptable account_id is to use a base64, URl-encoded, Secure-hash-algorithm-(SHA)-256 digest of the username or email address, salted with some secret string that only you know. This salt must not be reused for any of your vendors other than Ooyala. This ensures that neither Ooyala nor a "man-in-the-middle" hacker sniffing network traffic can translate back from your GUIDs to real usernames or passwords. The account_id must be less than 255 characters and must not contain reserved URL characters such as [/, &, |, or ]. In most cases, you do not need to explicitly create an account with Ooyala APIs; you simply refer to an account wherever an API request requires it.