Security is an essential aspect of live streaming, and Livery strives to ensure the utmost safety of your interactive live streams. In addition to our general security measures, Livery provides supplementary security features that can be configured through Livery's online portal(s).
By enabling domain-level privacy, customers can specify the websites that are authorized to integrate or embed the Livery video player. Any sites not included on the list will receive an error message when attempting to play the stream. The domain whitelisting feature can be accessed through the 'Stream Settings'.
This feature allows the whitelisting of one or more domains. If the domain list is empty, any player will be able to play the stream. Please note that changes made to the domain whitelisting can take up to 4 hours to become active.
When a viewer attempts to play the stream, the browser will verify if the underlying domain matches any of the domains on the list. Please be aware that subdomains must be added separately, as adding the main domain will not cover them. Additionally, the use of wildcard characters is supported
Secure session tokens are utilized to authenticate user sessions and prevent unauthorized sharing of the streaming URL. Token-based authentication mechanisms are widely used across the Internet to verify user rights and enhance security.
This feature employs tokens that are generated using a "trusted shared secret". This secret is shared between the customer and the CDN.
Token Authentication security ensures that the stream is delivered only to the authenticated user, thus preventing link sharing and player hijacking attacks.
Token Authentication can be enabled via the checkbox in the ‘Stream Settings’. When enabled the Livery backend generates a Token Authentication Key for each stream, which is automatically added to the configuration of the CDN.
The ‘Token Authentication Key’ is listed on the ‘Stream Details’ accessible via the portal.
The customer backend determines which users, logged in to the customer website, have access to the video stream. The customer backend generates tokens for these users using one of Akamai's Token Auth software development kits (SDKs). The Akamai documentation explains how they use long and short tokens. With Livery we use a advanced version of Token Authentication which only uses long tokens. This allows you to deny access to users without having to wait 24 hours, which would be the case when using the traditional setup.
To generate the tokens, the backend needs the Token Authentication Key, which can be copied from the ‘Stream Detail’ page in the Livery Portal. The customer's backend then forwards these tokens to the customer application or website. When using one of the SDK's to generate a token, make sure to use these settings.
| Parameter | Value |
|---|---|
| acl | * |
| window | The time the token should be valid |
| token_name | 'hdntl' |
| payload | 'hdntl' |
| key | The Token Authentication Key |
The customer application or website opens the Livery native or web player, which has an attribute called 'akamailongtoken'. This attribute can be set to the token retrieved from the customer backend.
The Livery player forwards the token to CDN when fetching the video data. Once the token expires, a new token needs to be provided from the customer application or website for the Livery player to authenticate with CDN again.
%%{init: {'theme':'dark'}}%%
sequenceDiagram
Customer backend->>Customer application or website: Token
Customer application or website->>Livery Player: Token
Livery Player->>CDN: Request stream with token
CDN-->>Livery Player: Authorised stream
The Livery platform utilizes an RTMP or SRT stream for the first mile delivery to the cloud encoder. To authenticate a live stream with the Livery Cloud encoder, a Stream Key is used. The key can be copied or regenerated via the ‘Stream Details’ page in the Livery portal.
CDN authentication is utilized to secure the connection between the encoder (both cloud and on-premises) and the CDN. This prevents hackers from hijacking the stream. For each stream, unique credentials are used to upload videos to the CDN, and this is done automatically by the Livery platform without requiring any intervention from the user.
Livery's captioning and subtitle pipeline uses Speechmatics Realtime for speech-to-text caption generation and Amazon Translate for multilingual subtitle translation.
In the Speechmatics step, the customer’s audio is processed through Speechmatics Realtime. Speechmatics documents that its Realtime SaaS service does not store audio files, transcripts, or configuration data. The generated captions are returned to our system for further processing. Source
Livery then send the generated caption text to Amazon Translate to create translated subtitle versions. At this stage, AWS receives caption text only, not the original media or audio, unless separately provided by our system.
For AWS AI services, including Amazon Translate, we have AWS AI services opt-out enabled by default. This means our standard configuration instructs AWS not to use customer content processed through supported AWS AI services for service improvement. Source
Livery only store captions, subtitles, translations, and related caption/subtitle metadata on our own controlled infrastructure. This infrastructure is managed under our own access controls, retention rules, security measures, and privacy policies. Speechmatics and AWS are used as processing services in the pipeline, not as the long-term system of record for caption or subtitle data.
Data is protected in transit. Speechmatics states that data is encrypted in transit using TLS 1.2 or higher, and AWS documents that Amazon Translate uses TLS 1.2 for data in transit.Source Source
Access to caption and subtitle data within our own infrastructure is restricted according to least-privilege principles and governed by our internal security and privacy controls.
AWS publishes data-protection and privacy documentation explaining how customer content is handled within AWS services, including customer control over content and AWS’s shared responsibility model. Our use of Amazon Translate is configured in line with these AWS controls, including the AI services opt-out policy described above.
In summary, Speechmatics Realtime is used as a transient speech-to-text processor, Amazon Translate is used to translate caption text, AWS AI services opt-out is enabled by default, and any retained caption or subtitle data is stored only in our own controlled infrastructure under our privacy and security rules.