Sharing & Embeds
Share links, password protection, and embed codes
Share links and embed codes let you publish videos outside the admin panel. You still control who can watch.
Share links
Create shareable links from the admin panel or Client API. Links support:
- Public: anyone with the URL can watch
- Password: viewer enters a password before playback
- Expiration: optional expiry in days (1 to 365)
Admin panel
- Open a video, live stream, or collection
- Click Share
- Choose visibility (public or password)
- Set optional expiry
- Copy the link or send via email
Via Client API
curl -X POST "https://your-domain.com/api/client/v1/shareable-links" \
-H "Authorization: Bearer YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"media_id": "video-uuid",
"media_type": "vod",
"visibility": "password",
"password": "secret123",
"expires_in_days": 30
}'media_type accepts: vod, live, collection.
Response includes a token and full share URL. See Shareable Links API.
Public routes
| Route | Purpose |
|---|---|
/share/{token} | Share page with player |
/embed/{type}/{id} | Embed player iframe target |
/api/share/{token}/status | Link status check |
/api/share/{token}/access | Password verification |
Share pages use the branded NixStream player with adaptive streaming.
Password-protected links
When visibility is password, viewers see a password form before playback. Passwords are verified server-side; the token alone is not enough to access content.
curl -X POST "https://your-domain.com/api/share/{token}/access" \
-H "Content-Type: application/json" \
-d '{"password": "secret123"}'Expiration
Expired links return an error on the share page and via the status API. Create a new link if you need to extend access.
Email sharing
Send share links by email from the admin panel: Share > Send email. You need SMTP set up in Settings > General.
MAIL_MAILER=smtp
MAIL_HOST=smtp.example.com
MAIL_PORT=587
MAIL_USERNAME=your_user
MAIL_PASSWORD=your_password
MAIL_FROM_ADDRESS[email protected]Signed URLs
Videos in password-protected collections can use signed URL access for direct manifest requests:
POST /api/share/video/access/{token}/{video_id}Signed URLs expire after a short window to prevent hotlinking.
Embed codes
Copy embed code from the video detail page. Embeds use the custom Shaka-based player and respect security profiles (domain restrictions).
Basic iframe embed
<iframe
src="https://your-domain.com/embed/vod/{video-id}"
width="640"
height="360"
frameborder="0"
allowfullscreen
></iframe>Responsive embed
Wrap the iframe in a container with padding-top: 56.25% (16:9) for responsive layouts.
Security profiles
Security profiles restrict embed and share playback by:
- Allowed domains (referrer check)
- Geo rules (country allow/block lists)
- Signed Edge delivery (HLS + DASH) with AES-128 at rest
Assign a profile in Settings > Security and attach it to collections or individual videos.
Collection shares
Sharing a collection exposes all videos in that folder (and optionally sub-folders, depending on config). Works well for client portals and course libraries.
Troubleshooting
Embed shows blank player: check the domain allowlist in the security profile.
Password loop: make sure cookies aren't blocked. APP_URL must use HTTPS in production.
CORS errors: FRONTEND_URL should match your public domain.
Embed behavior and security profiles: Player, Security. API fields: Shareable Links API.