Register your app as an AVContentKeySessionDelegate and call addContentKeyRecipient with your AVURLAsset
In contentKeySession(_:didProvideContentKeyRequest:), call makeStreamingContentKeyRequestData(forApp:contentIdentifier:options:) with your fetched app certificate and the asset URI as the content identifier to generate the SPC blob
POST the SPC data to your key server endpoint; the server validates it and returns the CKC binary data
Wrap the CKC in an AVContentKeyResponse and call processContentKeyResponse(_:) on the request to complete the handshake and enable decryption
For offline playback, call respondByRequestingPersistableContentKeyRequestAndReturnError, repeat the SPC/CKC flow, then persist the returned key data to disk
Known gotchas
The content identifier passed to makeStreamingContentKeyRequestData must exactly match the URI in the EXT-X-SESSION-KEY or EXT-X-KEY tag, including scheme — a mismatch silently fails key loading
App certificates expire; cache them with a short TTL and handle certificate refresh errors gracefully instead of crashing the session
AVContentKeySession requires a keyDeliveryURL defined in your app entitlement; the domain must be registered in the Apple Developer portal under FairPlay Streaming
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp