The Axinom Mosaic platform allows you to protect your video content by encoding them with the Encoding Service and applying DRM to them. Learn how to configure the encoding settings in the management system.

Set up Encoding Profiles

The Axinom Encoding allows to encode videos while Axinom DRM protects them. This can be done by utilizing the Encoding API directly or by using a GUI. This documentation describes the process to configure the encoding settings in the Management System.

All Encoding Service settings are available in the Management System under Settings:

Encoding settings
Figure 1. Encoding Settings
For security reasons, all the secrets must be encrypted using the credentials protection approach. Secret values are encrypted by the Encoding API’s public key. This way, your secrets can only be decrypted by the video decoder process - but not by anybody else, including the Management System itself. See Credentials Protection Tool.

Acquisition and Publishing Profiles

Acquisition and Publishing Profiles define respectively the Input Storage and the Output Storage for the Encoder. Input Storage is where the source video files are taken from (section " Content Acquisition" in a job request). Output Storage is where the processed video files are stored (section " Content Publishing" in a job request).

For security reasons, the acquisition profile and the publishing profile should use different storages. In development environments it is ok to share the same storage account and differentiate by container or by a sub-folder, but for production it is advisable to use separate storage accounts with different credentials.
Encoding Service supports many different Storage Providers, including Azure Blob Storage, Amazon S3, FTPS. Profiles configured in the GUI currently only support Azure Blob Storage. Support for other storage providers will be added later.
As of today, only a single acquisition profile and a single publishing profile are supported. This will be extended later.
We recommend to create your storage using Mosaic Hosting Service. Alternatively, you can create storage using Microsoft Azure Portal.

Both, acquisition profile and publishing profile define the following properties:

Setting Description


A human-readable profile identifier

Storage Provider

The storage provider type, today only Azure Storage Account

Storage Account Name

The username/account name

Storage Account Key

The corresponding password/access key for the storage account above. It is a secret and must be encrypted, see credentials protection

Container Name

Which storage container to use. A Storage Account can have multiple Containers used for different purpose

Acquisition Profile

Acquisition Profile defines an Input Storage. Encoding Service assumes, that for every video all input files will be placed to the same folder. All video folders should be nested under a root folder inside the specified container.

Two different security boundaries are involved here:

  • The encoder side: the video encoder process runs in a secure processing environment without any outside process reaching into it. This process needs READ permissions to access the Input Storage.

  • The management side: The Mosaic GUI can show a list of all the videos that are available in the source storage location. This service only needs LIST permissions. It is advisable not to provide it any other permissions, such as a READ permission to reduce the exposure of non-protected video content.

Once the GUI will be extended with a capability to upload video directly, it will additionally need a WRITE permission. For security reasons, those should not be valuable videos but rather trailers or other short video clips.
Table 1. Additional properties of an Acquisition Profile
Setting Description

SAS Token

This is an Azure Storage SAS Token used by the Management System GUI to list the folders in the input storage. It must not be encrypted with Credentials Protection and it is not passed to the encoder.

Root Path

An optional value that is used to define some sub-folder from which the videos should be downloaded. If no value is specified, the videos are acquired from the root of storage container. If a value is specified, it must be a single folder name or a path, e.g folderName/anotherFolder. In this case, the videos are acquired relatively to this folder.

Acquisition Profile
Figure 2. Acquisition Profile

Publishing Profile

Publishing Profile defines an Output Storage. For every processed video, the Encoding Service will create a folder in the root of the Output Storage.

The folder name will be generated randomly, it will not be the same as the input folder name. You can find the folder name in the job details.
screen publishing profile
Figure 3. Publishing Profile

Processing Profile

A processing profile defines how the desired video, audio, subtitle, and closed caption tracks can be found. You can define more than one processing profile to allow different use cases. One of the available profiles must be selected before the video encoding process can start encoding a new video. After clicking the Processing tile, you see a list of all configured profiles in the profiles explorer. After selecting a profile, you can manage its settings.

Processing Profile
Figure 4. Processing Profile

The default profile is filled out with a set of reasonable values that you can adjust to your needs. A description of all the properties can be found in the content processing and media mapping documentation. You can find a short summary from the table below. There is also a mapping to the sections and properties of a job request (see Encoding API).

Field Job Request Mapping Description


A human-readable profile identifier. This can also be used as a profile identifier for customizable software integrations (e.g. during an ingest process of a customizable service).

Video Stream Expression


A regular expression for finding the file that contains the main video stream. Provided expression can be checked/verified by clicking a button next to the input field - the opened inline menu enables opening a new browser tab where regex can be tested.

Audio File Language Expression


A regular expression for finding the files that contain the audio tracks. Expression validation opportunity is also provided.

Subtitle File Language Expression


A regular expression for finding the files that contain the subtitle tracks and their language mapping. Expression validation opportunity is also provided.

Closed Captions File Language Expression


A regular expression for finding the files that contain the closed caption tracks and their language mapping. Expression validation opportunity is also provided.

Output Format


This field defines the output format of the encoded video, which could be one of the following:

  • DASH - creates a DASH video that allows to use the Widevine and PlayReady DRM technologies

  • HLS - creates a HLS video that allows to use the FairPlay DRM technology

  • CMAF - creates a CMAF video that allows to use the FairPlay, Widevine, and PlayReady DRM technologies

  • DASH & HLS - produces two videos: one HLS and one DASH video

  • Dash-on-Demand - a special version of the DASH output using the so-called " On-Demand Profile"

DRM Protection


Choose whether the video should DRM-protected (single key or multiple keys) or not. Before DRM protection can be used, DRM Settings have to be set

Tar Mode


Select a tar mode, also known as Archiving approach.

If you want to use more fine-grained control over the jobs, use the Encoding API directly.

DRM Settings

If you want to protect your videos with DRM, you need DRM credentials for your environment. (If you don’t plan to protect videos with DRM you don’t have to fill out this section.) If you didn’t do it yet, go to My Mosaic, DRM on the left side and Acquire Credentials. All the data you need below will be provided under the "Key Service" section.

Don’t lose the management keys, they can’t be restored (but you can request their reset - raise a support request).

DRM settings for the Encoding Service include the access data for the Axinom DRM Key Service. Encoding Service will then acquire the necessary encryption keys from the Key Service. For details see DRM integration.

DRM Settings
Figure 5. DRM Settings

You can find a short summary from the table below:

Field Description

Management API URL

URL of the Key Service Management API, e.g.

Tenant ID

Your Key Service tenant ID, UUID

Management Key

Your Key Service management key, must be encrypted, see credentials protection

Key Seed ID

The ID of the Key Seed from which they keys will be derived. Usually, you have only one Key Seed created automatically during DRM setup. But you can create more Key Seeds and decide which to use. Must be encrypted, see credentials protection.