Product updates · 8 min read

Video Access Management

Video Access Management: How to create, deliver, and manage private videos and what are they anyway?

Learn what are private videos and how to use them in order to restrict or limit access to videos that shouldn't be public

Artem Matinian

February 28, 2023

The internet is fascinating; vast information zooms through back and forth, enabling millions of people worldwide to share their knowledge and experiences. However, it’s also a place where one must be cautious and protect oneself regarding private content and limit access to personal information, especially videos. We understand that it’s a sensitive topic for many it's difficult to implement on your own, so we created Private Videos.

Secure & manage access to your videos

Maybe you are asking yourself: “ok, but how does video privacy setting help me?”. There are quite a few use cases for private videos, and we’ve discussed the hassle of securing the videos yourself.

  • On-demand videos behind a paywall
  • Content Protection
  • Video NFTs
  • Video for internal use only
  • Private video messaging
  • Disposable one-time videos

And pretty much any video where you want to limit or restrict access! 🔒

What are private videos

A private video is a video object secured by a private token and can be consumed only once. After the private token is consumed, the video is only available once you have another private token assigned to it. So, even if your user has the video URL, sharing it with anyone else is useless.

We tried to make it as simple as possible to secure your videos:

  • Create a video container with a public: false flag, which will make the video (surprise 🥳) private!
  • Private videos will generate a new private token each time a request is made for that video id.
  • Each private token is usable only once.

If you like to get into nitty gritty details, feel free to check out our docs about Private Videos.

How to deliver private videos to your audience

After you learn how private video works and what it’s good for, we can now talk about the delivery part, which is the most important part.

To reiterate the private video concept, here’s a visual representation of how the whole thing works:

private video concept

Knowing that now we can finally start building stuff!

It’s that simple! (if you want the advanced stuff, scroll down to “Time to roll up our sleeves!”)

Let’s try to deliver one video in HTML with our own (amazing!) player.

Suppose you already have a cool video uploaded. Go to the dashboard and get make the video private (if it’s not already private)

Now that the video is private, we can deliver it to users. Here’s a quick snippet in HTML that you can use to play your video in the browser. Just copy the code snippet and replace the URL with your private video URL. You can find the video URLs in the Assets section of the Video Details:

video URLs in the Assets section


We played the video once with a browser. Now, open another browser tab in incognito mode and play the same video. You can see that it’s gone! no more video! don’t worry; even though the video still exists, the token changes once you consume it. If you refresh the video details page, you’ll notice that the private token has changed. If you paste the URL with the new private token in the src you will be able to play the video again in a new tab, but already with a different private token. Cool right? 🙂

Let’s get programmable

The concept works the same for API requests. You can request the API and fetch the video by id; if it’s a private video the response will give you the URLs with the private tokens (the XYZ in the URLs stands for the private token):



Assets? what assets? 🏠

Notice that JSON above has a field called assets. We’ll refer to assets later, but it’s important to know what they are. Assets include the URLs for the video thumbnail, iframe with the player for embedding directly into the HTML, and several other video formats like mp4 and hls. Now you know! 💡

How to create a sample app with private videos

Now that we know the privacy setting concepts, it’s time to write some example apps that will give us a small glimpse into what powerful tool we are dealing with here.

Let’s assume that we want to build an app that will display all the private video thumbnails on our website and make them clickable so it will open a video once it’s clicked. Something like that:

On the backend, we will have to do some magic. While with public videos it’s pretty simple as just returning the videos, for private videos we will need to get the session first. Let’s look at the HTML code:

private video HTML code

Notice the avh parameter in the query string? The avh parameter is where you will pass the session token... oh wait, what's a session token?!

Session token & session management

Session Tokens are designed to retain the same session for a user. Let’s take an example - a user opened a tab with the private video and would like to refresh the tab, or the video didn’t work with our player for whatever reason. Hence, you redirect the user to an mp4 version of that video (different asset). For these cases, we’ve created the session tokens.

There are two types of tokens for private videos:

  • Private token (which we already discussed): generated every time you pull a private video from the API.
  • Session token: This token is used to retain the private video session with the same private token.

At a very high level, to request different assets for the same private video, more than having the private token is required; you also need to retain the session. For that, we have the session token. In the flowchart below, you can see that for each private video, we are using a session token + the private token:

session token + the private token

So let’s get a bit technical here. To start the session, you will need to request the /session endpoint, get the session token, add it to the first asset you request, and then add it to every following asset you request. In the example above, we will request the /session endpoint, then add the session token to the query string of the private video thumbnail → request an embedded video asset with the session token in the query string → request a private video asset in mp4 format with the session token, and so on, you got the idea 😄

In other words:

Get the session token: GET{videoId}/token/{private token}/session

Response: {"session_token": "111-222-333"}

Now we can request the private video thumbnail asset → embedded video → mp4:

GET{video id}/token/{private token}/thumbnail.jpg?avh={session token}

GET{video id}?token={private token}&avh={session token}

GET{video id}/token/{private token}/mp4/source.mp4?avh={session token}

Sample runnable code of the above app in Node.js:

Let’s do a step-by-step review of what we are doing here.

  1. We are creating a server that will serve HTML on port 3000 with Node.js
  2. To make it easy on ourselves, we create a wrapper that will make an HTTP request to with api key already embedded in HTTP header. That’s the apiVideoReq function.
  3. We will get a raw response from the apiVideoReq, so need to create a parser that will parse the JSON response if the request is successful (200). That’s going to be the getJsonResponse
  4. Then we need to create a function that will get the list of our videos. That’s pretty simple with the wrapper function we have, so let’s reuse the apiVideoReq and make a request to []( endpoint. You can find more info about the /videos endpoint here. The response we'll get is an array of objects of the following format:


Notice that the second object has a property public which is set to false , which means that the video is private; hence we need to get all of these videos.

  1. Extract all the private videos from the list by creating an iterator that will run through the array of objects and get each video with the flag public set to false pushing only the assets and video id into a new array.
  2. If you remember, we need to get the session token by requesting the /session endpoint. The endpoint accepts the video id and private token; however, if you notice the private token is only in the URL. So let’s extract it! we can use this simple regex to extract it from the embedded URL (?<=token=).*$
  3. We first extract the private token from the URL and map it to the asset objects (with the video URL, video id, etc.)
  4. Then we request the /session endpoint passing in the video id and private token, and we get the session_token. Now we can also map to the same asset object.
  5. We’re almost done; hang in there! now let’s get generate <img> tags with the src as the asset thumbnails and add the session token in the query string as an avh parameter, i.e: <img src={{session token}}> . Then in the same line generate the <a href> tag that will lead us to the actual video, and as you understood already, it too has to include the session token, i.e: <a href={{session token}}>
  6. And lastly, generate the HTML <head> and <body> while encapsulating the <a href><img></a> we’ve already created, and…. DONE!

Now you have clickable thumbnails of your private videos which you can secure behind user credentials for example 🙂

Let’s summarize what we’ve learned here:

  • We’ve understood how private videos work and the purpose of private videos with real-life use cases.
  • We’ve also built a small app to leverage private videos to create clickable thumbnails with minimal code.

If you have any questions or feedback about this article, do not hesitate to contact our support. You can also find the docs for private videos here.

Try out more than 80 features for free

Access all the features for as long as you need.
No commitment or credit card required

Video API, simplified

Fully customizable API to manage everything video. From encoding to delivery, in minutes.

Built for Speed

The fastest video encoding platform. Serve your users globally with 140+ points of presence. 

Let end-users upload videos

Finally, an API that allows your end-users to upload videos and start live streams in a few clicks.


Volume discounts and usage-based pricing to ensure you don’t exceed your budget.