Axinom DRM can be used to encrypt live content with GCP Live Stream API. Acquire a key, store it as GCP secret, refer from the channel settings and stream!

GCP Live Stream API

With Live Stream API, you can transcode live, linear video streams into a variety of formats. Live Stream API benefits broadcasters, production companies, businesses, and individuals looking to transform their live video content for use across a variety of user devices.

Live Stream API supports content encryption using DRM (Widevine, PlayReady, FairPlay, ClearKey). However, Live Stream doesn’t directly integrate with any DRM tools. Instead, you are supposed to acquire an encryption key from a DRM provider yourself and pass it to the Live Stream API using a Secret Manager.

Axinom DRM Key Service suits well for this purpose.


To use Axinom DRM:

  • Register on the Axinom Portal

  • Start a free trial

  • Go to My Mosaic / DRM and acquire credentials

  • For using the SPEKE protocol you will need the following information:

  • For using the Widevine Common Encryption protocol you will need the following information:

    • Widevine Provider Name

    • Widevine Signing Key

    • Widevine Signing IV

  • Once you are ready to go to production, upgrade your Axinom account to a paid plan.

Integration Steps

To create your first encrypted stream, follow these steps. Google guide describes the details.

Acquire a key from Axinom DRM

You can acquire a key from Axinom DRM Key Service using any of the supported protocols.

We recommend using the widely used protocols SPEKE v2 or Widevine Common Encryption.

For initial integration, you can use Axinom UI tools (SPEKE and Widevine Common Encryption respectively) to generate the keys without any programming.

For production use, we recommend automating the task of key acquisition and storing in the GCP Secret Manager (see below).

However you acquire the key, make sure you record the respective keyId. This is a unique identifier for the key and is required later to get a DRM license from the DRM License Service.

Convert the key into a format that Live Stream API can use

The key must be provided to Live Stream API in the following JSON format:

  "encryptionKeys": [
      // Key for Widevine configurations.
      "keyId": "44ec248b048c43a6a6ee58a752c6f9f8",
      "key": "f1967daca83e81f38d80aa741e7b32c2",
      "keyUri": "skd://44ec248b048c43a6a6ee58a752c6f9f8",
      "matchers": [
          "muxStreams": [

Format details are described in DRM protocol documentation.

Create a secret and store your encryption key there

Create a secret using GCP Secret Manager and store the key in it.

Refer to Create a secret guide from Google.

Make sure you copy the key value to GCP Secret Manager on the shortest path and don’t store any copies of the key, as the security of your assets depends on this key being secret.

Configure the channel to use the encryption key

In your channel configuration, use the element "encryptions" to describe the details. Specifically, provide a reference to the secret that contains the key. Make sure you gave secretAccessor role to the service account used to run the live stream.

Now you can start the channel.

Live Stream API enrypts the stream using the key from the secret.

To replace the key:

  • Stop the channel

  • Generate a new key, store it in a secret and update the channel configuration

  • Start the channel

Automating Key Acquisition

If you regularly use encrypted live streams in production, you may want to automate the key acquisition process.

Mainly, you have to automate the following steps:

  • Acquire an enryption key from Axinom DRM Key Service

  • Transform the key information into the JSON format that Live Stream API can use

  • Store the key in GCP Secret Manager.

Acquire Key from Axinom DRM

Axinom DRM Key Service offers a Web API which can be easily accessed:

First, make sure you can call the API successfully using one of the tools suggested above.

Then try the same using a script sending an HTTP request.

Widevine Common Encryption is slightly easier to implement. A request is shorter, and a response comes already as JSON.

SPEKE instead relies on CPIX format, which is an industry standard for key exchange information. It is based on XML, and it requires creating a template document which you will send as a request. The Key Service will return the same document to you, extending it with the actual generated key information.

Transform the key into the JSON format

Depending on the protocol you use, you receive the key details either as CPIX (an XML-based format) or as JSON.

You just need to transform the key information into the JSON format that Live Stream API can use. This is straightforward field mapping task.

Store the key in GCP Secret Manager

This can be achieved using GCP APIs.

You can use a sample implementation provided by Google.


Should you have any further questions on this integration, feel free to contact Axinom Support.

See also