For server-side ad stitching, your manifest manipulator makes ad pod timing metadata requests to Google DAI. For more information, see Build ad segment URLs .
This page covers authenticating ad pod metadata requests using the Hash-Based Message Authentication Code (HMAC) token.
Before you begin
Before you continue, do the following:
- Complete the prerequisites .
- Ensure you've enabled the Pod resource authentication keysin your livestream event in your Google Ad Manager Account .
Generate an HMAC token
To generate a token, do the following:
- Collect the path and query parameters required for your ATM request. For a full list, see the Method: Ad pod timing metadata .
-
Organize your parameters into a single string. You must sort the parameters alphabetically and separate them with the tilde
~character, for example:ad_break_id= AD_BREAK_ID ~custom_asset_key= CUSTOM_ASSET_KEY ~exp= EXPIRATION ~network_code= NETWORK_CODE ~pod_id= POD_IDENTIFIER -
Calculate a SHA-256 hash of the token string using your DAI authentication key.
-
Format the hash output in hexadecimal.
-
To sign the token string, append the signature at the end of the parameters you gathered earlier:
ad_break_id=...~hmac= HMAC_SIGNATURE `Replace the
HMAC_SIGNATUREwith the signature you generated by hashing the token string using your DAI authentication key. -
To pass the signed token string safely, apply URL-encoding to the signed token string.
The following snippet generates the URL-encoded value of a signed token string:
# Add 60 seconds to the current time
future_epoch
=
$((
EPOCHSECONDS
+
60
))
echo
"Current:
$EPOCHSECONDS
"
echo
"Future:
$future_epoch
"
# Current: 1769644251
# Future: 1769644311
# Sample DAI stream authentication key
key
=
"EB089..."
# Sort parameters in the token string
token
=
"ad_break_id=ab-001~custom_asset_key=hls-pod-serving-redirect-auth-stream-pod~exp=1769644311~network_code=21775744923~pd=30000"
# Generate the token's signature.
echo
-n
$token
|
openssl
dgst
-sha256
-mac
HMAC
-macopt
key: $key
# SHA-256(stdin)= 056d442f19baee6988c0e88d2eb8e9f9f6ffcc98737a2fef301dec759701cfb6
# Sign the token: ad_break_id=ab-001~custom_asset_key=hls-pod-serving-redirect-auth-stream-pod~exp=1769644311~network_code=21775744923~pd=30000~hmac=056d442f19baee6988c0e88d2eb8e9f9f6ffcc98737a2fef301dec759701cfb6
# Encode the token: ad%5Fbreak%5Fid%3Dab%2D001%7Ecustom%5Fasset%5Fkey%3Dhls%2Dpod%2Dserving%2Dredirect%2Dauth%2Dstream%2Dpod%7Eexp%3D1769644311%7Enetwork%5Fcode%3D21775744923%7Epd%3D30000%7Ehmac%3D056d442f19baee6988c0e88d2eb8e9f9f6ffcc98737a2fef301dec759701cfb6
Authenticate an ATM request
To authenticate your ATM requests, use the auth-token
query string parameter
to pass the URL-encoded signed HMAC token.
The following example uses an HMAC token to authenticate an ATM request:
curl
--include
"https://dai.google.com/linear/pods/v1/adv/network/21775744923/custom_asset/hls-pod-serving-redirect-auth-stream-pod/pod.json?stream_id=6755b6a6-ef0f-4587-9b7f-8a59c76ae210:CBF2&ad_break_id=ab-001&pd=30000&auth-token=ad%5Fbreak%5Fid%3Dab%2D001%7Ecustom%5Fasset%5Fkey%3Dhls%2Dpod%2Dserving%2Dredirect%2Dauth%2Dstream%2Dpod%7Eexp%3D1769644311%7Enetwork%5Fcode%3D21775744923%7Epd%3D30000%7Ehmac%3D056d442f19baee6988c0e88d2eb8e9f9f6ffcc98737a2fef301dec759701cfb6"
If successful, you see the following JSON response:
{
"ads"
:
[
{
"duration_ms"
:
10010
,
"variants"
:
{
"media-ts-4628000bps"
:
{
"segment_durations"
:
{
"timescale"
:
1000
,
"values"
:
[
5005
,
5005
]
},
"segment_extension"
:
"ts"
}
}
},
...
],
"slate"
:
{
"duration_ms"
:
0
,
"variants"
:
{
"media-ts-4628000bps"
:
{
"segment_durations"
:
{
"timescale"
:
1000
,
"values"
:
[
10010
]
},
"segment_extension"
:
"ts"
}
}
},
"status"
:
"final"
}
To understand the response structure and status codes, refer to Method: Ad pod timing metadata .
