HLS AES-128 & SAMPLE-AES Content Protection

Radiant Media Player supports AES-128 & SAMPLE-AES content decryption with HLS (using 16-octet keys) as described in Apple HLS specification and documentation. This is supported for on-demand, live or DVR streaming.

For instructions on how to support AES-128 or SAMPLE-AES HLS for your streaming server, please refer to the documentation of your streaming server.

Supported features

  • Key can be hosted externally or embedded within the manifest
  • Custom initialisation vectors (IV)
  • Key rotation

A test HLS AES-128 encrypted stream is available here:

The player will automatically detect and start decoding an HLS AES-128/SAMPLE-AES encrypted stream based on the information provided in the manifest.

Player code example:

<!-- Include Radiant Media Player - here we use the optimised build for hls.js -->
<script src=""></script>
<!-- Player container element -->
<div id="rmp"></div>
<!-- Set up player configuration options -->
// Passing our HLS AES-128 stream
const src = {
  hls: 'https://your-aes-hls-url.m3u8'
// Player settings
const settings = {
  licenseKey: 'your-license-key',
  src: src,
  width: 640,
  height: 360,
  contentMetadata: {
    poster: [
const rmp = new RadiantMP('rmp');

Advanced use cases

More information on HLS can be found here (this page includes link to up-to-date HLS specification). More information on content protection can be found here.

An additional layer of security can be provided through the use of secure token. This implementation requires a server-side component in order to be efficient. We have published a guide on how to achieve this with Wowza Streaming Engine here.

If you want to secure the key file delivery over HTTPS please refer to this Apple guide.

For added security please consider the following: "Key files require an initialization vector (IV) to decode encrypted media. The IVs can be changed periodically, just as the keys can. Current recommendations for encrypting media while minimizing overhead is to change the key every 3-4 hours and change the IV after every 50 Mb of data."

Any of the above additional security layers needs to be implemented on your side, please refer to the documentation of your streaming solution for more information on how to best implement the needed AES features for your project.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 3.0 License.

©2015-2024 Radiant Media Player. All Rights Reserved.