对广告连播片段请求进行身份验证

对于服务器端广告拼接,清单操纵器会向 Google DAI 发出广告连播细分请求。如需了解详情,请参阅构建广告细分网址

本页介绍了如何使用 HMAC 令牌对广告连播细分请求进行身份验证。

准备工作

在继续之前,请执行以下操作:

生成 HMAC 令牌

如需生成令牌,请执行以下操作:

  1. 收集为连播细分请求填充的路径和查询参数(auth-token 除外)。如需查看完整列表,请参阅方法:连播细分

  2. 将参数整理成一个字符串。您必须按字母顺序对参数进行排序,并使用波浪号 ~ 分隔它们,例如:

    custom_asset_key=CUSTOM_ASSET_KEY~exp=EXPIRATION~network_code=NETWORK_CODE~pd=POD_DURATION~pod_id=POD_IDENTIFIER

  3. 使用 DAI 身份验证密钥计算令牌字符串的 SHA-256 哈希值。

  4. 以十六进制格式设置哈希输出的格式。

  5. 如需对令牌字符串进行签名,请在之前收集的参数末尾附加签名:

    custom_asset_key=...~hmac=HMAC_SIGNATURE

    HMAC_SIGNATURE 替换为您通过使用 DAI 身份验证密钥对令牌字符串进行哈希处理而生成的签名。

  6. 如需安全地传递已签名的令牌字符串,请对已签名的令牌字符串应用网址编码。

    以下示例会生成已签名令牌字符串的网址编码值:

HLS 

# Add 60 seconds to the current time
future_epoch=$((EPOCHSECONDS + 60))

echo "Current: $EPOCHSECONDS"
echo "Future: $future_epoch"
# Current: 1774465950
# Future: 1774466010

# Sample DAI pod resource authentication key
key="EB08..."

# Sort parameters in the token string
token="ad_break_id=ab1~custom_asset_key=hls-pod-serving-redirect-auth-stream-pod~exp=1774466010~network_code=21775744923~pd=30000"

# Generate the token's signature.
echo -n $token | openssl dgst -sha256 -mac HMAC -macopt key:$key

# SHA2-256(stdin)= ff38abab31b436351e20ecd57bcc5b97acd9461abb71c4cf9c9731add965ecf2

# Sign the token: ad_break_id=ab1~custom_asset_key=hls-pod-serving-redirect-auth-stream-pod~exp=1774466010~network_code=21775744923~pd=30000~hmac=ff38abab31b436351e20ecd57bcc5b97acd9461abb71c4cf9c9731add965ecf2

# Encode the token: ad_break_id%3Dab1~custom_asset_key%3Dhls-pod-serving-redirect-auth-stream-pod~exp%3D1774466010~network_code%3D21775744923~pd%3D30000~hmac%3Dff38abab31b436351e20ecd57bcc5b97acd9461abb71c4cf9c9731add965ecf2

DASH 

# Add 60 seconds to the current time
future_epoch=$((EPOCHSECONDS + 60))

echo "Current: $EPOCHSECONDS"
echo "Future: $future_epoch"
# Current: 1769540517
# Future: 1769540577

# Sample DAI pod resource authentication key
key="EB08..."

# Sort parameters in the token string
token="ad_break_id=ab1~custom_asset_key=dash-pod-serving-redirect-auth-stream-pod~exp=1774466641~network_code=21775744923~pd=30000"

# Generate the token's signature.
echo -n $token | openssl dgst -sha256 -mac HMAC -macopt key:$key

# SHA2-256(stdin)= 7249f9193778f2318314519ff2cea5c47958bc7fdd2eaf24008352867af0a050

# Sign the token: ad_break_id=ab1~custom_asset_key=dash-pod-serving-redirect-auth-stream-pod~exp=1774466641~network_code=21775744923~pd=30000~hmac=7249f9193778f2318314519ff2cea5c47958bc7fdd2eaf24008352867af0a050

# Encode the token: ad_break_id%3Dab1~custom_asset_key%3Ddash-pod-serving-redirect-auth-stream-pod~exp%3D1774466641~network_code%3D21775744923~pd%3D30000~hmac%3D7249f9193778f2318314519ff2cea5c47958bc7fdd2eaf24008352867af0a050

对 HLS 广告连播细分请求进行身份验证

如需对连播资源请求进行身份验证,请使用 auth-token 查询字符串参数传递网址编码的已签名 HMAC 令牌。

HLS

以下示例使用 HMAC 令牌对 HLS 连播细分请求进行身份验证:

curl --include "https://dai.google.com/linear/pods/v1/seg/network/21775744923/custom_asset/hls-pod-serving-redirect-auth-stream-pod/ad_break_id/ab1/profile/media-ts-4628000bps/0.ts?stream_id=51b85d28-7ed5-48da-bfd8-e013b7d7b204:DLS&&sd=10000&pd=30000&auth-token=ad_break_id%3Dab1~custom_asset_key%3Dhls-pod-serving-redirect-auth-stream-pod~exp%3D1774466010~network_code%3D21775744923~pd%3D30000~hmac%3Dff38abab31b436351e20ecd57bcc5b97acd9461abb71c4cf9c9731add965ecf2"

如果成功,您会看到以下响应:

...
< HTTP/2 302
< access-control-allow-headers: Authorization
< access-control-allow-origin: *
< access-control-expose-headers: Location
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< date: Wed, 25 Mar 2026 18:13:40 GMT
< expires: Mon, 01 Jan 1990 00:00:00 GMT
< location: https://redirector.googlevideo.com/....
< pragma: no-cache
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
...

如需了解响应结构和状态代码,请参阅方法:连播细分

如果身份验证失败,您会看到 x-ad-manager-dai-warning

...
< HTTP/2 302
< access-control-allow-headers: Authorization
< access-control-allow-origin: *
< access-control-expose-headers: Location
< cache-control: no-cache, no-store, max-age=0, must-revalidate
< date: Wed, 25 Mar 2026 18:17:21 GMT
< expires: Mon, 01 Jan 1990 00:00:00 GMT
< location: https://redirector.googlevideo.com/....
< pragma: no-cache
< x-ad-manager-dai-warning: Unable to create ad break due to Unauthorized error (skipping ad break creation)
< x-content-type-options: nosniff
...

DASH

以下示例使用 HMAC 令牌对 DASH 连播细分请求进行身份验证:

curl --include "https://dai.google.com/linear/pods/v1/seg/network/21775744923/custom_asset/dash-pod-serving-redirect-auth-stream-pod/ad_break_id/ab1/profile/media-ts-4628000bps/0.ts?stream_id=8b061ab5-1efc-4e4d-882f-ae3c071df854:ATL&&sd=10000&pd=30000&auth-token=ad_break_id%3Dab1~custom_asset_key%3Ddash-pod-serving-redirect-auth-stream-pod~exp%3D1774466641~network_code%3D21775744923~pd%3D30000~hmac%3D7249f9193778f2318314519ff2cea5c47958bc7fdd2eaf24008352867af0a050"

如果成功,您会看到以下响应:

...
HTTP/2 302
..
location: https://redirector.googlevideo.com/....
...

如需了解响应结构和状态代码,请参阅方法:连播细分

如果身份验证失败,您会看到以下 x-ad-manager-dai-warning

...
HTTP/2 302
..
location: https://redirector.googlevideo.com/....
pragma: no-cache
x-ad-manager-dai-warning: Unable to create ad break due to Unauthorized error (skipping ad break creation)
x-content-type-options: nosniff
...