Direct Video File Access

What is direct video file access?

Each video hosted by SproutVideo has various video asset files associated with it that are created during the encoding process. By default, we protect these video assets to prevent access to them outside of our player, which gives our customers full control over the security of their content. However, it is possible to get the direct video asset file URLs if necessary. You may need these to use a third-party player, create your own app, or any number of other use cases.

There are two methods to access these files. The first way is to enable Insecure Direct Video File Access, either as your account-wide default, or for specific videos only. The second option is to create secure signed URLs using your SproutVideo API key.

Note: Playback of Direct File Assets happens outside of the video player we provide so videos viewed using Direct Video File Access will not be tracked in our Analytics and Video Engagement Metrics.

How to enable Insecure Direct Video File Access

When you need direct access to your video files without providing a signature, you’ll need to enable Insecure Direct Video File Access. You can choose to enable this as an account-wide default, or for select videos only.

Warning: Enabling ‘Insecure Direct Video File Access’ means anyone with access to the video asset file link will have unrestricted access to the file.

Enable Insecure Direct File Access for Individual Videos

We recommend only enabling this option for select videos to limit the risk of your content being unintentionally downloaded. To do this, simply navigate to any video settings page in your account.

On your video’s detailed settings page, open the ‘Advanced Video Settings’ menu located at the bottom of the settings pane (bottom left corner of the page):

Open the 'Advanced Video Settings' on SproutVideo video detail settings page

With the ‘Advanced Video Settings’ menu expanded, scroll to the bottom again and find the ‘Advanced Security Options’ section. You’ll see a toggle to ‘Allow insecure access to video asset files’ here. Switch this setting to ‘ON’ to enable insecure direct access to this video only:

Enable 'Allow insecure access to video asset files' in Advanced Security Options

Once you’ve enabled this setting, be sure to save your changes. After saving, you can now access your video asset file links from the video’s download menu. Look for the “DOWNLOAD” button at the top right of your video’s settings page to open the download menu:

Open the video download screen

You’ll see a list of all of your video asset files available for download, including your video’s poster frame and the streaming-only HLS file. Click the link icon to copy the URL for any video asset file:

Click to copy the link for any video asset file from the download screen

Enable Insecure Direct File Access for All Videos in Your Account

To enable Insecure Direct Video File Access for all videos in your account as your account-wide default, navigate to ‘Account Settings’ > ‘API’ and switch the toggle to ‘YES’ to “Allow video file access outside of SproutVideo player”. Click the ‘Save API Settings’ button to save your preference. (Only admin and owner roles have access to manage account-wide settings.)

Enable 'Insecure Direct File Access' for all videos in your account

Once you have enabled this setting, you’ll find your video asset file links in the “DOWNLOAD” menu from any video detailed settings page (mentioned above).

You can also request the direct URL with an API call or assemble the URL manually.

Note: If ‘Insecure Direct Video File Access’ is disabled, all video assets will revert back to their default protected state and will not be accessible outside of the SproutVideo player unless they are secured with a signature. However, per-video settings will always override any account default, so disabling this in your account default settings does not necessarily mean all of your videos are secure. If you’ve ever enabled this setting for any individual video, that per-video setting will be maintained.

You can manually build the link for any video asset file by using the following URL structure:

https://api-files.sproutvideo.com/file/[video_id]/[security_token]/[resolution].mp4

Using any embed code provided by SproutVideo as a reference, replace [video_id] with the video ID of your file, [security_token] with the token from the embed code, and [resolution] with the resolution of the video you want to use (such as ‘1080’).

Here’s an example using the SproutVideo default inline embed code:

<iframe class='sproutvideo-player' src='https://videos.sproutvideo.com/embed/a49bd0b41710e8c12c/0972a3ac5b0ea93d' width='630' height='332' frameborder='0' allowfullscreen></iframe>

The video_id is the first string following https://videos.sproutvideo.com/embed/, so in this example the video ID is: a49bd0b41710e8c12c

The security_token is the last string: 0972a3ac5b0ea93d

We know that the highest-quality file available for this video is the 1080p version, so the resolution we want should be 1080

Putting that all together, the direct link for this 1080p video file would be:

https://api-files.sproutvideo.com/file/a49bd0b41710e8c12c/0972a3ac5b0ea93d/1080.mp4

How to Access Video Asset Files Securely

It’s possible to access the video asset files directly for any video without compromising on security. To do this, you will simply need to create a signed URL for each video asset. Follow these steps for creating that signature using your SproutVideo API key:

Note: Do not enable the insecure direct file access setting mentioned above if you are using secure, signed video file links.

1. Find the URL you wish to sign

All of the video asset URLs will be returned in the “assets” section of the video’s API response. If you prefer, you may also use the steps above to manually build your video asset file URL.

For this guide, we’ll use the following URL as an example:

https://api-files.sproutvideo.com/file/a49bd0b41710e8c12c/0972a3ac5b0ea93d/1080.mp4

2. Generate the string to sign

To start, we must generate the base string that will be used to create the hash. The base string is composed of the following elements:

Request method: The request method in this case will always be GET

Host name: The host name in this case will always be api-files.sproutvideo.com

Request path: The request path is part of the URL after the host up to the first ? If the URL we are signing is https://api-files.sproutvideo.com/file/a098d2bbd33e1c328/7ca00d6d622a8e8d/1080.mp4, the request path is /file/a098d2bbd33e1c328/7ca00d6d622a8e8d/1080.mp4

Sorted query parameters: First, we need to add the expiration parameter. Typically, you would pick a time a few minutes or so in the future. The time you pick should be in UTC, and the value should be represented as an integer number of seconds since the Epoch. For example, the time of May 02 2013, 10:21:43 PM (UTC) would be represented as 1367533303. Since this request doesn’t support any other query parameters, the expiration is all you need. The sorted query parameters for this example becomes: &expires=1367533243

Note: Ideally your system time should be synced using NTP or a similar protocol so your system uses the same time that SproutVideo’s system does.

Now that we have all of our components, we need to combine them into a single string formatted on multiple lines as shown below:

Request method
Host name
Request path
Sorted query parameters

With our example URL above, the multi-line string would look like this:

GET
api-files.sproutvideo.com
/file/a098d2bbd33e1c328/7ca00d6d622a8e8d/1080.mp4
&expires=1367533243

Now that we have our string, it is time to sign it.

3. Calculating the signature

First you’ll need your API key to sign the string. You can find your API key here. Finally, the signature is calculated by passing the signature base string and signing key to the HMAC-SHA1 hashing algorithm. The details of the algorithm are explained in depth here, but thankfully there are implementations of HMAC-SHA1 available for every popular language. Ruby has the OpenSSL library and PHP has the hash_hmac function.

For example, the output given the example string and a signing key of 9ab4b003d47003df394191234c54506d is \xD7\xD0\x18r\xE6\xB8q\b\xA61\xC0k*m\x04H\xCF\x0F\xE2\x1C. That value, when converted to base64, is the signature for this request: 19AYcua4cQimMcBrKm0ESM8P4hw=

4. Building the final request URL

First, take the original URL:

https://api-files.sproutvideo.com/file/a49bd0b41710e8c12c/0972a3ac5b0ea93d/1080.mp4

Next add the sorted query parameters (expiration) to the URL:

https://api-files.sproutvideo.com/file/a098d2bbd33e1c328/7ca00d6d622a8e8d/1080.mp4?expires=1367533243

Finally, URI encode the ‘signature’ parameter, and add that to the end of the URL:

https://api-files.sproutvideo.com/file/a098d2bbd33e1c328/7ca00d6d622a8e8d/1080.mp4?expires=1367533243&signature=19AYcua4cQimMcBrKm0ESM8P4hw%3D

You can then use this final URL to directly access your MP4 files.

Was this article helpful?
Related Articles

Other articles in the API section: