Deploy or reference a SPEKE v2-compliant key server (e.g., AWS Elemental key server, Axinom, BuyDRM) and note its SPEKE endpoint URL.
In MediaPackage V2, create a channel group and a live channel; attach an origin endpoint with the desired packaging type (HLS or CMAF/DASH).
In the origin endpoint encryption configuration, specify the SPEKE v2 URL, the IAM role ARN that MediaPackage will assume to call the SPEKE endpoint, and the DRM systems (Widevine, PlayReady, FairPlay) by their respective system IDs.
For HLS with FairPlay, configure the encryption method as SAMPLE-AES or SAMPLE-AES-CTR; for DASH/CMAF with Widevine and PlayReady, use CENC encryption mode.
Test playback with a DRM-enabled player by verifying license acquisition against your DRM license server; the SPEKE key server issues content keys and the DRM server issues playback licenses.
Rotate content keys by configuring key rotation interval in the SPEKE encryption settings; shorter rotation intervals increase key server load.
Known gotchas
SPEKE v2 supports multi-DRM in a single request; SPEKE v1 requires separate requests per DRM system. Verify your key server supports SPEKE v2 before configuring multi-DRM.
The IAM role MediaPackage assumes to call SPEKE must have a trust policy allowing the MediaPackage service principal and permissions to call the key server endpoint.
FairPlay requires a separate certificate configuration on both the SPEKE server and the player; HLS FairPlay and CENC DRM cannot share the same encryption configuration.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp