Getting Started
Common Access Token Validator is a validation service for CTA-5007 Common Access Tokens (CAT). CAT is a lightweight, interoperable bearer token standard for content access control used in streaming workflows. The validator exposes a REST endpoint your origin or CDN can call to verify tokens before granting access to protected media. Available in Eyevinn Open Source Cloud.
Optional integrations: Redis for token caching and revocation, ClickHouse for analytics and audit logging.
Prerequisites
- If you have not already done so, sign up for an OSC account.
- Your public key(s) for verifying CAT tokens (HMAC shared secret or public key from an asymmetric pair).
- Optional: a Valkey or compatible Redis instance for revocation support.
Step 1: Store your keys as a secret
Navigate to the Common Access Token Validator service, open the Service Secrets tab, and create a secret named keys containing your base64-encoded signing key(s):
keys=<your-base64-encoded-key>
Step 2: Create the validator instance
Go to the My cat-validates tab and click Create cat-validate. Fill in:
| Field | Description | Example |
|---|---|---|
| Name | Name for this instance | myvalidator |
| Keys | Signing key(s) for token verification | {{secrets.keys}} |
| Issuer | Expected token issuer claim (optional) | https://auth.example.com |
| RedisUrl | Redis/Valkey connection URL for revocation (optional) | redis://172.232.131.169:6379 |
| ClickHouseUrl | ClickHouse URL for audit logging (optional) | http://172.232.131.169:8123 |
Click Create and wait for the instance status to turn green.
Step 3: Validate tokens
Send a GET request to the validator with the token in the Authorization header:
curl -H "Authorization: Bearer <your-cat-token>" \
https://myvalidator.eyevinn-cat-validate.auto.prod.osaas.io/validate
A 200 OK response means the token is valid. A 401 means it is invalid or expired.
Step 4: Integrate with your origin
Point your streaming origin's token check to the validator URL. The validator is stateless by default — add the RedisUrl parameter if you need to support token revocation before expiry.
CLI Usage
npx -y @osaas/cli create eyevinn-cat-validate myvalidator \
-o Keys="{{secrets.keys}}" \
-o Issuer="https://auth.example.com"
Resources
- eyevinn/cat-validate on GitHub
- node-cat library on GitHub — generate and validate CAT tokens in Node.js
- CTA-5007-B specification
- CAT interoperability testing article