The restricted access system allows you to grant authorized members access to restricted clips and playlists using secure access tokens, you can learn more about restricted access here.
Whilst you can generate and share restricted content from the Omny Studio UI, it is also possible to programmatically generate secure URLs with access tokens to share and play restricted content on custom players, apps or websites behind a paywall.
You can do this via the Omny Studio Management API.
For example, if you have a paywalled app or website, you can programmatically generate access tokens to provide your users access to:
- Podcast RSS URLs for restricted playlists
- Embed players for restricted clips and playlists
- MP3 download URLs for restricted clips
Access tokens can be appended to various URLs including clip MP3 download URLs, embed player iFrame URL, podcast RSS URLs using the accessToken URL parameter to authorize access to restricted content.
For example, a restricted playlist RSS feed can be accessed with
A restricted clip embed can be shared with
A restricted clip MP3 download URL can be access with
An invalid access token or using a revoked access token will return an error page.
Generating access tokens
JSON Web Token
Omny Studio's restricted access tokens use the JSON Web Token (JWT) standard. You can read more about JWT's and find popular code libraries for parsing and generating JWT at jwt.io.
accessToken JWT is comprised of the following structure encoded in a Base64 URL encoded string.
"kid": "[YOUR PROGRAMMATIC SIGNING KEY ID]",
kidis your programmatic signing key ID which you can find in the Program Settings > Restricted Access UI or retrievable via the Management API
- The JWT standard headers
typmust be set
Payload or claims
"playlist": "[PLAYLIST ID]", // or "clip": "[CLIP ID]"
clipclaim specifying the GUID of the playlist or clip to access (it must match the content URL being accessed)
keyclaim is the restricted member's access key which you can find in the Program Settings > Restricted Access UI or retrievable via the Management API.
- Optionally, you can set an
adsclaim to override if dynamic ads injection should be applied to the downloaded content. A value of
1will enable ads, and a value of
0will disable ads. If no value is provided, it will fallback to the "Disable dynamic ad insertion for restricted member downloads" setting on the clip or playlist.
Your JWT signature should be signed using the algorithm specified in the header. Using the standard HMAC-SHA256 algorithm, it should be signed as follows
base64UrlEncode(header) + "." +
[YOUR PROGRAMMATIC SIGNING SECRET]
The signing secret is the programmatic signing secret which you can find the Program Settings > Restricted Access UI or retrievable via the Management API.
You can find an example of a valid access token here.
Regenerating keys and secrets
If the individual restricted member access key or your program's programmatic signing secret are ever leaked publicly, you can reset/regenerate both in the Omny Studio UI and Management API.
It is important to note that all previously generated access tokens will become invalid after regenerating either the access key or programmatic signing secret, especially users who subscribed to a restricted RSS feed will no longer be able to refresh their feed.
Managing restricted members
Due to privacy reasons, Omny Studio does not store any personally identifiable information about restricted members.
We encourage you to generate a restricted member for each of your service's paywall subscribers or users and correlate them using the member ID.
The Management API allows you to create and delete restricted members and regenerate access keys programmatically. You can view the Management API documentation to learn more.