SPEKE: Secure Packager and Encoder Key Exchange API

What is SPEKE?

SPEKE is the acronym for Secure Packager and Encoder Key Exchange (SPEKE), a royalty-free open source API specification that defines the standard for encrypted communication between video encoders, transcoders, origin servers, and digital rights management (DRM) system key servers for live and on-demand streaming video.

SPEKE builds on the Content Protection Information Exchange (CPIX) specification developed by the DASH Industry Forum (DASH-IF) by adding specifications not included in CPIX, such as methods for authenticating and communicating between key servers and encryptors.

The Secure Packager and Encoder Key Exchange API has one purpose: the simplification of multiple complex processes. SPEKE does this in the following ways:

  • SPEKE simplifies content encryption by replacing hundreds of combinations of proprietary API integrations between multi-DRM vendor key servers and encryptors with a single open, standards-based API.
  • SPEKE provides media and entertainment video operators greater flexibility and choice of vendors.
  • SPEKE supports multiple DRM schemas, as well as multiple packaging formats for different types of viewing devices.

SPEKE comes in two versions:

  • Version 1.0, based on CPIX v2.0, adds extensions to cover HLS and Smooth Streaming and limits the number of encryption keys per content to one
  • Version 2.0, based on CPIX v2.3, allows the use of multiple encryption keys per content

SPEKE – Democratization of the Video Workflow

Content Providers

(MVPDS and Content Distributors)

  • Lowers barrier of DRM solution provider adoption
  • Opportunity cost savings with quicker integration
  • Ability to expand audience/device coverage


(Encoders, Transcoders, and Packagers)

  • Robust and light application
  • Saves time, effort, and cost of custom DRM API integration
  • Reduces testing time and effort
  • Increases focus on core functionality
  • Ability to test DRM workflow with reference servers

DRM Solution Providers

  • Lowers barriers to adoption
  • Save on custom integration cost and time
  • Ability to establish proven workflows

What Advantages Does SPEKE Provide?

The short list of SPEKE advantages:

  • Single API for video encoders, transcoders, packagers, and key servers
  • Standards-based
  • Supports multiple DRMs
  • Supports multiple encryption keys for different tracks (SPEKE v2.0 feature)
  • Simplifies integration
  • Reduces vendor version testing
  • Deployable for cloud, hybrid, or on-premises workflows
  • Accelerates customer deployment

A deeper overview of how SPEKE helps:

SPEKE simplifies complex “handshake” challenges by providing a single common interface for integrating any video transcoder or origin server with any key server, whether running on-premises in a data center or as a cloud service. SPEKE is designed for both Video-on-Demand (VOD) and live streaming workflows using either a static (best for VOD) or rotating key.

SPEKE utilizes the Content Protection Information Exchange Format (CPIX) to standardize the method for carrying key and DRM information for encrypting and protecting video content, and adds specifications for authentication and other important behaviors on top of CPIX. Driven by the DASH Industry Forum, CPIX is designed to create operational efficiencies while reducing costs and time-to-market for OTT video services.

Additionally, SPEKE incorporates AWS Identity and Access Management (IAM) roles to allocate flexible yet secure permission policies which may be delegated to users, applications, or services to securely enable key exchange between a multi-DRM vendor and a video transcoding or packaging vendor. Video operators may use IAM roles whether the key server and encryptor are running on AWS, on hardware in the operator’s headend or data center, or as a combination of the two, and even where the key server and encryptor are running on different cloud providers.

While the DASH Industry Forum originally developed CPIX for MPEG-DASH content, CPIX now also supports HLS content. With its comprehensive feature set, SPEKE can function as a single format for MPEG-DASH, HLS, Microsoft Smooth Streaming, and future packaging technologies, and for multiple DRMs including Microsoft PlayReady, Google Widevine, Apple FairPlay Streaming, AES-128, and other proprietary DRM solutions. SPEKE supports Apple HLS transport streams, fragmented MP4, and CMAF. SPEKE also supports static keys and key rotation.

SPEKE eliminates complexity for both media customers and technology vendors. It combines a single common API for any transcoder, packager, and key server; CPIX for key exchange with all streaming formats; and authentication mechanisms. This combination delivers significantly faster integration time, greatly reduced test cycles, and an expanded ecosystem of integrated transcoders, packagers, and multi-DRM solutions, while also enabling operational tracing to troubleshoot issues.

This rich ecosystem provides customers with dozens of pre-integrated solutions, faster time to market, and greater flexibility to select combinations of video processing and multi-DRM solutions to meet their requirements. It also supports cloud, hybrid, and on-premises architectures.

For specific information regarding DRM Platform providers supporting SPEKE v1.0 or SPEKE v2.0, please see the documentation for getting on board with a DRM platform provider.

What Benefits Does SPEKE Offer Video Vendors, Providers, and Customers?

The barrier to protecting video content is the complexity of fragmented technologies, which imposes tremendous technical challenges and resource burdens for video encoding, transcoding, video packaging, and multi-DRM vendors alike. Solving the challenges of technology fragmentation is where SPEKE shines.

Media customers benefit from the ability to seamlessly mix and match any combination of SPEKE-enabled encoding, transcoding, packaging, and multi-DRM vendor products. Customers can also take advantage of role-based security best practices and secure mutual authentication, along with a standards-based implementation designed around CPIX for MPEG-DASH and HLS. Since these integrations work with any pre-integrated video transcoder, origin server, or key server, media customers gain the added flexibility of operating video workflows entirely in the cloud, entirely on-premises in data centers, or as hybrid workflows. This allows customers to migrate secure media workflows to the cloud in stages in order to maximize the cost savings, scalability, and global availability of the cloud while maintaining their relationships with vendors that have SPEKE integrations. The result is a much faster time-to-market and lower barriers to adopting new DRM systems, which means a bigger potential audience reach.

Multi-DRM vendors benefit by integrating their key server once with SPEKE and obtaining access to a wide ecosystem of video processing partners through that single integration. In addition, SPEKE provides a single key exchange protocol and reduces the resource impact of testing multiple product integrations across vendors.

Transcoding and origin vendors benefit from integrating transcoders and origin servers once with SPEKE and gaining access to all pre-integrated key server vendors and multi-DRM solutions. This eliminates the need for separate integrations with proprietary APIs across dozens of multi-DRM vendors. This also greatly reduces the development and testing time to integrate with DRM vendors, allowing these companies to focus instead on improving core functionality and making systems more feature rich.

For specific information regarding cloud or on-premises applications, see SPEKE Support in AWS Services and Products.

SPEKE Webcast

In this webcast you will learn about the Secure Packager and Encoder Key Exchange (SPEKE). SPEKE is an open, extensible API specification developed to streamline integration of Digital Rights Management (DRM) with video encoders, transcoders, and origin servers (encryptors).

AWS SPEKE Webcast (30:30)

Get started

We can help you get started with a consultation from our sales and architecture organization, or you can begin your own pilot today.