“Protect the video” is three different problems wearing one sentence. Stopping strangers from fetching your segments is an access problem. Stopping a paying viewer from saving the file is a rights problem. Finding out which paying viewer leaked the stream anyway is a forensics problem. Tokens, DRM and watermarking solve one each, none solves another’s, and mature video security is choosing which layers each tier of content actually needs.
Three threats, three layers
Name the threat before buying the control. Hotlinking and restream-by-URL — someone embedding your stream or sharing manifest links — is defeated by tokens alone. Casual capture — download tools, browser extensions saving segments — is defeated by DRM. Determined piracy — a subscriber re-encoding the screen output and restreaming it — is defeated by nothing preventive; the realistic goal is identification and takedown speed, which is watermarking’s job. The layers also fail independently: a leaked signing key breaks tokens but not DRM; a cracked device breaks DRM but not watermark tracing. That independence is the argument for layering on high-value content, and for skipping layers — deliberately, in writing — on content whose piracy simply does not cost you much.
Layer 1: tokens — who may fetch
Edge-validated tokens are the floor for any non-public video: a session-scoped signed cookie or signed path covering the title for the viewing window, validated cryptographically at the CDN, excluded from the cache key so protection costs no hit ratio. The design decisions — URL vs cookie, scopes, expiry, dual-key rotation — are covered in signed URLs and cookies and apply to video unchanged; the video-specific additions are concurrency and geography. Concurrency limits (one account, N simultaneous streams) are an application-side check at session issuance, not an edge feature — the edge enforces the token, your backend decides how many tokens a login may hold alive. Geographic licensing restrictions ride the same session check plus edge country rules, with the honesty caveats from geo-blocking: country-level accuracy, VPN reality, and an honest block page for licensing denials. Tokens stop URL sharing; they do nothing about the viewer who was legitimately issued one — that is the next layer’s job.
Layer 2: DRM — what a fetched file is worth
DRM encrypts the media itself, so a captured segment is ciphertext without a license: keys are delivered per session by a license server after the player proves what device and protection level it offers. Practical reality is a three-system world — Widevine (Chrome, Android), FairPlay (Apple), PlayReady (Windows, many TVs) — so multi-DRM is not optional for a general audience, and the sane route is a multi-DRM service plus CPIX-standard key exchange with your packager rather than hand-rolling license infrastructure. Delivery-side impact is pleasantly small: with CMAF and common encryption the same encrypted segments serve all three systems, everything stays cacheable exactly as before, and the license call — one small uncacheable request at session start — is the only new latency, worth keeping off the critical path startup already fights for in startup time. The honest limits: output protection depends on device security levels (hardware-backed paths gate the top rungs — a policy decision: how many rungs do software-only devices get?), and no DRM survives the analogue hole. Point a camera at a screen and layer two is done — enter layer three.
Layer 3: watermarking — who leaked it
Forensic watermarking embeds an imperceptible per-session identifier in the picture, so a pirated copy — even camera-captured and re-encoded — can be traced to the account that played it. Two delivery-relevant architectures dominate: server-side A/B variants, where segments exist in two watermark flavours and each session receives a unique A/B sequence (cache-friendly — two copies total, per-session uniqueness assembled in the manifest), and client-side embedding, where the player composites the mark (no extra cache footprint, but trust moves into the client). A/B watermarking pairs naturally with CDN delivery and per-session manifests; its cost is doubled segment storage and a manifest service that must remain fast. Watermarking without an enforcement loop is decoration: it pays for itself only alongside monitoring for pirated restreams and a takedown process measured in minutes for live sports — which is why it lives almost exclusively on premium live and early-window content, where identifying one leaking account mid-event has direct monetary value.
Matching layers to content value
Write the tiering table and stop arguing case by case. Free marketing content: no layers — public and cacheable, as in VOD delivery. Standard subscription library: tokens always; DRM where licensing contracts demand it (studio agreements usually do) or capture pain is real. Premium originals and early windows: tokens plus multi-DRM with hardware-level policies on top rungs. Marquee live — sports, PPV: all three, with A/B watermarking and a rehearsed takedown loop, because the piracy window is the event. Then audit the layers like any security control: token checks in the quarterly audit, license-server availability on the incident radar (a down license server is a total outage for protected content), and one annual honest review of what each layer costs against what leakage actually costs — because over-protection has a bill too, paid in startup latency, device compatibility and engineering weeks.
