Configure your DRM key server to expose a SPEKE-compliant HTTPS endpoint that accepts POST requests containing a CPIX document
In MediaPackage, create an encryption configuration pointing to the key server URL; set the X-Speke-Version request header to '2.0' to opt into CPIX 2.3 semantics
Define separate ContentKeyUsageRule entries in the CPIX document for audio, SD video, HD video, and UHD video tracks to enable multi-key encryption
MediaPackage sends the CPIX document to the key server, which responds with the same document augmented with encrypted ContentKey elements for each DRM system (Widevine, PlayReady, FairPlay)
Validate the returned CPIX document — check the CPIX@version attribute is present and matches the requested version — before accepting the keys
Known gotchas
SPEKE v1 and SPEKE v2 are not interchangeable; v2 uses CPIX 2.3 and supports per-track keys, while v1 uses a single key for all tracks — mixing versions causes silent key mismatches
Content key encryption (wrapping keys in the CPIX document with the packager's certificate) is required in SPEKE v2 to protect keys in transit; plain-text key exchange is not permitted
The key provider endpoint must be reachable from MediaPackage's service IP ranges; use a VPC endpoint or an API Gateway with IAM auth to avoid exposing it publicly
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp