Overview
Triton Digital's Secure Token mechanism is a solution to provide additional information about users in a trusted manner. Being trusted means that the token can only be issued by someone (broadcaster, web site, player application, etc.) that is in possession of the secret key.
Triton Digital's Secure Token works the same way for live streams, on-demand music services, and podcasts.
Using the Secure Token mechanism, you can:
Perform access control;
Vary the number of ads between registered/non-registered users, or other similar scenarios;
Send targeting data (for advertising) in a trusted and obfuscated manner;
Obtain analytics break-downs, based on the token's attributes.
The Secure Token mechanism has the following design goals:
Based on JSON Web Token (JWT) and JSON Web Signature (JWS) RFCs.
The token must have a limited validity period (to prevent replay attacks, bookmarks, or simply reuse of a stream URL by an unauthorized aggregator).
The token must be cryptographically signed using a secret key.
The token's secret key must not be shared between Triton customers, to allow revocation of old keys, and to prevent other customers from generating tokens that are valid for mounts/stations they do not own.
Must work for mobile and Web-based players.
Two specific tokens are described:
tdtok is the access token used to grant stream access to players. (More information in the Streaming Specification...)
partnertok is the partner token allowing Triton Digital to authenticate first-party or third-party data sent by authorized parties (partners). (More information in the Advertising Technical Specification...)
References
JSON Web Token (JWT): https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32
JSON Web Signature (JWS): https://tools.ietf.org/html/draft-ietf-jose-json-web-signature
JSON Web Algorithms (JWA): https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40
RFC 4648, Section 5 (Base64URL Encoding): https://tools.ietf.org/html/rfc4648#section-5