Implement HMAC authentication (Beta) - Google Ad Manager Help (2024)

Authenticate DAI streams using an HMAC-based token

Signature-based authentication allows youto limit DAI content authenticationfor each stream request based on a specific time and content scope.Instead of a static API key string, this method uses a Hash Message Authentication Code (HMAC) generated using the SHA-256 hash algorithm and an authentication keycreatedin Ad Manager.

Learn how to create an authentication key in Ad Manager.

This feature is in Beta
Features in Beta phase might not be available in your network. Watch the release notesfor when this feature becomes generally available.

Build HMAC-based authentication tokens

An authentication token needs to be created dynamically for each stream request. Content scope, time scope,and the authentication signature are set using parameters, separated by tilde (~).

Content scope is slightly different for live linear contentand on-demand (VOD) content.Both on-demand and live linear content scope can appear in the same signature, but content will not be authorized unless you include all content scope parameters.

Live linear authentication token format
event=<event-code>,<event-code>~exp=<utc-timestamp>~hmac=<signature>
Video on demand (VOD) authentication token format
cmsid=<content-source>,<content-source>~exp=<utc-timestamp>~vid=<video-id>,<video-id>~hmac=<signature>
See Also
HMAC (Hash-Based Message Authentication Codes) Definition - Okta SG HMAC (Hash-Based Message Authentication Codes) Definition | Okta Use two-factor authentication for Apple ID security on your Mac Hash-Based Message Authentication Code (HMAC) - Glossary

Token parameters

Parameter	Description
`event`	Content scope for live linear content Include acomma-separated list of live stream asset key to authorize. This value is listed as the "Asset key" in the "Settings" tab of each Ad Manager live stream.
`cmsid vid`	Content scope for video on demand (VOD) content Include acomma-separated list ofcontent source IDs (`cmsid`) and video IDs (`vid`) to authorize.If a user attempts to access an out-of-scope video ID, even if the content source is permitted, the request is not authorized.If the`vid`parameter isn't included, no content is authorized.
`exp`	Time scope Include a UTC timestamp, such as "1489680000". Only requests received before the time indicated in the `exp` parameter are authorized.
`hmac`	HMAC signature Include an authentication signature generated using the SHA-256 hash algorithm, encoded as a HEX string. This signature is generated usingall other parameters of the token along withthe authentication key created in Ad Manager as the "secret key". Parameters must be arranged in alphabetical order when generating the hashed signature. Once generated, append the signature to the end of the token using `hmac=<signiture>`. For example: Message to encode: _{event=iYdOkYZdQ1KFULXSN0Gi7g~exp=1489680000} Secret key, created in Ad Manager: _{A7490591290583E4B93189DEE7E287C299FC686872ABC7ADC9F9F536443505F} HMAC signature output: _{8825640909152B9D1678CD477D8760A8E6727DE02EEE57AD2CB9D72AAFC5D7E7} When the video stream is requested, Ad Managercreates its own encoded signatures using the parametersin your request and activeauthentication keys to verify that onematches thesignature in your request.

Advanced content scoping

Any of the three content scope parameters (event, cmsid, orvid)can include an asterisk (*) to prefix-match, suffix-match, ormatch any value. This allowsbroad access to subsets of content using a single signature.

For example, to grant access to all on-demand videos for a particular content source:

cmsid=<content-source>~exp=<utc-timestamp>~vid=*~hmac=<signature>

Or, to grant access to all live events with event code suffix -free-access:

event=*-free-access~exp=<utc-timestamp>~hmac=<signature>

The most permissive value for any parameter takes precedence,socmsid=news-*,*matches any source.

Implement your authentication token

After you've built an HMAC-based authentication token, you need to update your application to authorize video streams. The authentication token can be implemented in the Authorization request header or passed as a query string or form data parameter.

Option 1: Use the Authorization requestheader

To authenticate inthe Authorization header of your request, add a token= parameter that containsyour HMAC-based authentication token. In addition to the token, other parameters can be added, if needed.

Authorization: DCLKDAI token="event%3Devent-code1%2Cevent-code2~exp%3D1489680000~hmac%3Dabc123def456"

Option 2: Use a query string or form data parameter

To authenticate within a query string or form data, add anauth-token= parameterthat contains your HMAC-based authentication token.

https://dai.google.com/linear/hls/event/<event-code>/master.m3u8?auth-token=event%3Devent-code1%2Cevent-code2~exp%3D1489680000~hmac%3Dabc123def456

https://dai.google.com/ondemand/hls/content/<cmsid>/vid/<video-id>/master.m3u8?auth-token=cmsid%3Dcontent-source1%2Ccontent-source2~exp%3D1489680000~vid%3Dvideo-id1%2Cvideo-id2~hmac%3Dabc123def456

If you're using the IMA SDK, you should use streamRequest.authToken to set the token.

For any issues related to DAI troubleshooting or outages, contact publisher support.

Was this helpful?

How can we improve it?

Need more help?

Try these next steps:

Post to the help community Get answers from community members Contact us Tell us more and we’ll help you get there

Get started with Dynamic Ad Insertion

Our guide to delivering a seamless ad experience across live, linear, and on-demand video content.
See the guide

FAQs

Implement HMAC authentication (Beta) - Google Ad Manager Help? ›

Implementing HMAC

Choose a hash function (such as SHA-256 or SHA-512) to compute the message. Choose a secret key that is randomly generated, with the length dependent on the level of security your platform needs.

Read On ›

How to implement HMAC authentication? ›

Discover More Details ›

How to generate HMAC SHA-256 signature? ›

Steps for Computing a Message Signature

Step 1: Calculate x-sntl-content-sha256. Calculate the SHA256 content of a request body, which is used as a value for x-sntl-content-sha256 in the stringToSign .
Step 2: Create stringToSign. ...
Step 3: Calculate HMAC-SHA256 of stringToSign. ...
Step 4: Form the x-sntl-signature Header.

Apr 24, 2024

What should you add to an HMAC to ensure that the secret value is unique for each request? ›

This is achieved by including both a public (key-identifier) and private key (key-secret) in each message, the latter of which is only known to the server and client. Using these values, the client will generate a unique HMAC (a hashed code) representing its request to the server.

See Details ›

What is the HMAC secret key? ›

The secret cryptographic key is what enables a user to make an encrypted message readable after it has been encrypted by an algorithm. In an HMAC transaction, the client and server must agree on the secret key. This provides a way to decode messages, which must stay secret, to maintain the transaction's integrity.

Find Out More ›

What is the best practice of HMAC authentication? ›

3 Best practices for HMAC

To use HMAC effectively and securely, it's recommended to use a strong hash function, such as SHA-256, SHA-384, or SHA-512. A secure key should be generated randomly, stored securely, and rotated periodically. The key should be long enough to prevent brute-force attacks.

Tell Me More ›

Is Hmac authentication or authorization? ›

Hash-based message authentication code (or HMAC) is a cryptographic authentication technique that uses a hash function and a secret key. With HMAC, you can achieve authentication and verify that data is correct and authentic with shared secrets, as opposed to approaches that use signatures and asymmetric cryptography.

Show Me More ›

How to generate an HMAC? ›

Create an HMAC key

In the Google Cloud console, go to the Cloud Storage Settings page. Go to Settings.
Select the Interoperability tab.
Click add_box Create a key for a service account.
Select the service account you want the HMAC key to be associated with.
Click Create key.

Explore More ›

What is the difference between SHA-256 and HMAC? ›

HMAC stands for "Hash-based Message Authentication Code," and SHA-256 refers to the Secure Hash Algorithm 256-bit variant. HMAC-SHA-256 combines the strength of SHA-256's cryptographic hashing with HMAC's ability to authenticate the integrity and source of a message.

What is signing with HMAC authentication? ›

HMAC Signing is an access token method that adds another level of security by forcing the requesting client to also send along a signature that identifies the request temporally to ensure that the request is from the requesting user, using a secret key that is never broadcast over the wire.

Show Me More ›

What are the disadvantages of HMAC? ›

One of the main drawbacks of HMAC is that it requires both parties to share a secret key in advance, which can be challenging in some scenarios, such as public key infrastructures or distributed systems.

Read The Full Story ›

What is the difference between HMAC and JWT? ›

A JWT (when using HMAC as the signing scheme) is basically just an HMAC message where the message data is a JSON object. The interesting thing about the JWT system is that the sender and the receiver of the JWT are typically the same entity, that is, the webserver.

See Details ›

What is the difference between HMAC and public key? ›

With an HMAC function, the recipient of the message could alter the message however they please, because they have the key to do so. The recipient could then write whatever they want as the sender. However, with a Public Key Cryptography system, only the sender has the private key.

Get More Info Here ›

What is HMAC for dummies? ›

HMAC stands for Keyed-Hashing for Message Authentication. It's a message authentication code obtained by running a cryptographic hash function (like MD5, SHA1, and SHA256) over the data (to be authenticated) and a shared secret key. HMAC is specified in RFC 2104. HMACs are almost similar to digital signatures.

How to create HMAC key in gcp? ›

To create an HMAC key for a user account, you must be logged into the Google Cloud console with the user account and go to the Interoperability tab in the Cloud Storage Settings menu of a project for which you have the resourcemanager. projects.

How do I add a HMAC key? ›

Add HMAC keys for your app

From the top menu, select Settings. Select Connect in the INTEGRATIONS section in the left menu. In the horizontal navigation at the top of the Connect page, select Connect Keys, then generate at least one HMAC key by choosing Add Secret Key.

View Details ›

How to generate HMAC? ›

How can I generate a new HMAC key?

Log in to your Customer Area.
Go to Developers > Webhooks.
Search by endpoint URL or WebhookID to find the webhook you want to update and select the edit icon.
Go to Security and select the edit icon for HMAC key.
Select Generate for a new key.

More items...

How do you implement security authentication? ›

How to secure your authentication mechanisms

Take care with user credentials. ...
Don't count on users for security. ...
Prevent username enumeration. ...
Implement robust brute-force protection. ...
Triple-check your verification logic. ...
Don't forget supplementary functionality. ...
Implement proper multi-factor authentication.

Learn More ›

How do you implement basic access authentication? ›

Client side

The username and password are combined with a single colon (:). ...
The resulting string is encoded into an octet sequence. ...
The resulting string is encoded using a variant of Base64 (+/ and with padding).
The authorization method and a space character (e.g. "Basic ") is then prepended to the encoded string.

Discover More Details ›

How to use HMAC authentication in Postman? ›

Configuring Postman to use Veracode HMAC Authentication

Open a new request.
Copy the script (at the bottom) - to the Pre-req section of the request - Make sure to add your API ID and Key to the script.
Add a new header. a. ...
If your action needs any parameters, add them on the parameters section of the request.

Show Me More ›