ART19 offers the ability to authorize access to podcast content distributed through RSS feeds via JSON Web Token (JWT). This feature can be used to limit access to subscriber-only content, such as ad-free episodes.
JWT is an industry-standard method (RFC 7519) for representing claims securely between two parties. If you operate your own podcast client, you can issue a JWT to a user who authenticates with your service and pass it to ART19 as an Authorization request header when accessing your feed. This is a more secure method of restricting access to a feed compared to our access token method.
Getting Started with JWT Feeds
Contact our support team (support@art19.com) and let us know which feed/s you would like to use with JWT. You can also request that new feeds be created.
Provide our support team with your public signing keys. You can use multiple keys per feed. For example, you could issue separate keys for test and production use. You can also define start and end dates for each key.
We will confirm when your feeds are set up and you can begin testing your implementation. Depending on the scope of the request, this process may take several business days.
Configuration
The JWT must be provided as a bearer token in the Authorization header of the request for the feed URL and enclosure URLs. E.g. Authorization: Bearer {token}
Supported Hashing Algorithms
- RSA
- ECDSA
Key Generation
RSA keys
# generate private key. bits must be >= 2048. do not share this with ART19. openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out rsa4096.priv.pem # get a public key file which can be shared openssl pkey -in rsa4096.priv.pem -pubout -out rsa4096.pub.pem
ECDSA keys
# generate private key. supported curves are prime256v1, secp384r1, and secp512r1. do not share this with ART19. openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:prime256v1 -out ecprime256v1.priv.pem # get a public key file which can be shared openssl pkey -in ecprime256v1.priv.pem -pubout -out ecprime256v1.pub.pem
Verify public keys (either type)
openssl pkey -in key.pub.pem -pubin -text
Note: older versions of OpenSSL do not support ECDSA; these work with OpenSSL 1.1.1k.
Claim Fields
`exp` (expiration)
- E.g. {"exp": seconds_since_epoch}
- This is a required field
`nbf` (not before)
- E.g. {"nbf": seconds_since_epoch}
`aud` (audience)
- Must match the feed URL requested. For enclosure requests, it must match the enclosure URL. Offers additional protection against a token being intercepted and used to download an entire feed.
Error Handling
- If the JWT is expired, or invalid for any reason, ART19 will return a 401 status code
- Your application is responsible for handling the 401 and generating a new JWT if necessary
Miscellaneous
- We do not recommend adding enclosure prefixes to JWT-secured feeds due to the risk of exposing the Authorization header to the third-party request
Rotating Signing Keys
Contact our support team (support@art19.com) and let us know which feeds and/or keys you would like to rotate. You can define a schedule for when the previous keys are no longer valid to ensure that listening is not disrupted for end-users of your application.