SPEKE: Secure Packager and Encoder Key Exchange API

What is SPEKE?

SPEKE is the acronym for Secure Packager and Encoder Key Exchange (SPEKE), which is a royalty-free open source API specification that defines the standard for encrypted communication between video encoders, transcoders, origin servers, and digital rights management (DRM) system key servers for live and on-demand streaming video.

SPEKE builds on the Content Protection Information Exchange (CPIX) specification developed by the DASH Industry Forum (DASH-IF) by adding specifications not included in CPIX, such as methods for authenticating and communicating between key servers and encryptors.

The Secure Packager and Encoder Key Exchange API has one purpose: the simplification of multiple complex processes. In a nutshell, SPEKE does this in the following ways:

  • SPEKE simplifies content encryption by replacing hundreds of combinations of proprietary API integrations between multi-DRM vendor key servers and encryptors with a single open, standards-based API.
  • SPEKE provides media and entertainment video operators greater flexibility and choice of vendors.
  • SPEKE supports multiple DRM schema, as well as multiple packaging formats for different types of viewing devices.

SPEKE – Democratization of the Video Workflow

Content Providers

(MVPDS and Content Distributors)

  • Lowers barrier of DRM solution provider adoption
  • Opportunity cost savings with quicker integration
  • Ability to expand audience/device coverage


(Encoders, Transcoders, and Packagers)

  • Robust and light application
  • Saves time, effort and cost of custom DRM API integration (4 weeks)
  • Savings in testing time and effort (~17% reduction in testing effort)
  • Increased focus on core functionality
  • Ability to test DRM workflow with reference servers

DRM Solution Providers

  • Lowers barrier to adoption
  • Custom integration cost and time savings
  • Ability to establish proven workflows

What Advantages Does SPEKE Provide?

The short list of SPEKE advantages:

  • Single API for video encoders, transcoders, packagers, and key servers
  • Standards-based
  • Supports multiple DRMs
  • Simplifies integration
  • Reduces vendor version testing
  • Deployable for cloud, hybrid, or on-premises workflows
  • Accelerates customer deployment

A deeper overview of how SPEKE helps:

SPEKE simplifies complex “handshake” challenges by providing a single common interface for integrating any video transcoder or any origin server with any key server, whether running on-premises in a data center or as cloud services. SPEKE is designed for both Video-on-Demand (VOD) and live streaming workflows using either a static (best for VOD) or rotating key.

SPEKE utilizes the Content Protection Information Exchange Format (CPIX) to standardize the method for carrying key and DRM information for encrypting and protecting video content, and adds specifications for authentication and other important behaviors on top of CPIX. Driven by the DASH Industry Forum, CPIX is designed to create operational efficiencies while reducing costs and time-to-market for OTT video services.

Additionally, SPEKE incorporates AWS Identity and Access Management (IAM) roles to allocate flexible yet secure permission policies which may be delegated to users, applications, or services to securely enable key exchange between a multi-DRM vendor and a video transcoding or packaging vendor. Video operators may use IAM roles whether the key server and encryptor are running on AWS, on hardware in the operator’s headend or data center, a combination of the two, and even where the key server and encryptor are running on different cloud infrastructure.

While the DASH Industry Forum originally developed CPIX for MPEG-DASH content, CPIX now also supports HLS content. With its comprehensive feature set, SPEKE can function as a single format for MPEG-DASH, HLS, Microsoft Smooth Streaming, and future packaging technologies, and for multiple DRMs including Microsoft PlayReady, Google Widevine, Apple FairPlay Streaming, AES-128, and proprietary DRM solutions. SPEKE supports Apple HLS transport stream, fragmented MP4, and CMAF. SPEKE also supports static keys and key rotation.

SPEKE eliminates complexity for media customers and technology vendors alike. It combines a single common API for any transcoder, packager, and key server; CPIX for MPEG-DASH and HLS; and authentication mechanisms. This combination delivers significantly faster integration time, greatly reduced test cycles, and an expanded ecosystem of integrated transcoders, packagers, and multi-DRM solutions, while also enabling operational tracing to troubleshoot issues.

This rich ecosystem provides customers dozens of pre-integrated solutions, faster time to market, and greater flexibility to select combinations of video processing and multi-DRM solutions to meet their requirements. It also supports cloud, hybrid, and on-premises architectures.

What Benefits Does SPEKE Offer Video Vendors, Providers, and Customers?

The barrier to protecting video content is the complexity of technology fragmentation, which imposes tremendous technical challenges and resource burdens for video encoding, transcoding, video packaging, and multi-DRM vendors alike. Solving the challenges of technology fragmentation is where SPEKE shines.

Media customers benefit from the ability to seamlessly mix and match any combination of SPEKE-enabled encoding, transcoding, packaging, and multi-DRM vendor products. Customers can also take advantage of role-based security best practices and secure mutual authentication, along with standards-based implementation designed around CPIX for MPEG-DASH and HLS. Since these integrations work with any pre-integrated video transcoder, origin server, or key server, media customers gain the added flexibility of operating video workflows entirely in the cloud, entirely on-premises in data centers, or as hybrid workflows. This allows customers to migrate secure media workflows to the cloud in stages in order to maximize the cost savings, scalability, and global availability of the cloud while maintaining their relationships with vendors that have SPEKE integrations. The result is a much faster time-to-market and lower barriers to adopting new DRM systems, which means a bigger potential audience reach.

Multi-DRM vendors benefit by integrating their key server once with SPEKE and obtaining access to a wide ecosystem of video processing partners through that single integration. In addition, SPEKE provides a single key exchange protocol and reduces the resource impact of testing multiple product integrations across multiple vendors.

Transcoding and origin vendors benefit from integrating transcoders and origin servers once with SPEKE and gaining access to all pre-integrated key server vendors and multi-DRM solutions. This eliminates the need for separate integrations with proprietary APIs across dozens of multi-DRM vendors. This also greatly reduces development and testing time to integrate with DRM vendors, allowing these companies to focus instead on improving core functionality and making their systems more feature rich.

For specific information regarding cloud or on-premises applications, see SPEKE Support in AWS Services and Products.

SPEKE Webcast

The Secure Packager and Encoder Key Exchange (SPEKE) is an open, extensible API specification developed to streamline integration of Digital Rights Management (DRM) with video encoders, transcoders, and origin servers (encryptors).

AWS SPEKE Webcast (30:30)

Get started

We can help you get started with a consultation from our sales and architecture organization, or you can begin your own pilot today.