Introduction
Most of the Brightcove REST APIs use OAuth2 as the basis for authentication, and we'll look at the OAuth implementation in more detail in the sections that follow.
First, however, note that three APIs use different approaches to authentication:
Policy key authentication: Playback API
The Playback API used mainly to retrieve video and playlist data from players or web portals, uses a policy_key, for authentication, usually passed as an argument in an Accept header:
Accept: application/json;pk={policy_key}
Policy keys are generated automatically for Brightcove players, and may be taken from a player configuration, or generated using the Policy API
API-key authentication: Live API
The Live API uses an API key that is supplied when you account is set up to authenticate requests. The API key is passed in an X-API-KEY header:
X-API-KEY : {YOUR_APIKey}
OAuth2 authentication
The other REST APIs for Video Cloud use OAuth2 for authentication, For those familiar with OAuth2, we use a client credential flow. There are two operations involved:
- Get client credentials: this is a one-time operation that is most easily carried out using the API Authentication page of the Admin tools in Studio. See Managing API Authentication Credentials for details and step-by-step instructions.
- Get an access token: each API request must contain an access token sent in an
Authorizationheader:Authorization: Bearer {access_token}Access tokens live for five minutes, so unless you running a process that will be generating repeated API requests, you will probably just want to get a new one for each request.
Access tokens are obtained by sending the client credentials in a request to Brightcove's OAuth API. See Getting Access Tokens for full details. There is also a sample app you can use to get a one-off token for testing API calls. There are also instructions for configuring the popular REST clients Postman and Insomnia.