@ralalabs/manifest-signer
v0.2.1
Published
Runtime-agnostic signed URL generator for manifest-restreamer
Readme
@ralalabs/manifest-signer
Runtime-agnostic signed URL generator for manifest-restreamer.
Works in Node.js 18+, Browsers, Cloudflare Workers, and any edge runtime with WebCrypto. Zero runtime dependencies.
What it does
Generates deterministic restreamer URLs:
https://<publicHost>/manifest/<sid>.<ext>?u=<sealed>Compatibility contract with manifest-restreamer:
sid = HMAC-SHA256(key, originUrl)truncated to 16 hex chars (first 8 bytes)u = AES-256-GCM( { u: originUrl, iat }, AAD: "u:manifest:<sid>" )- Wire format (base64url):
[12B IV][16B TAG][CIPHERTEXT]
Installation
pnpm add @ralalabs/manifest-signerUsage
Standalone function
import { signManifest } from '@ralalabs/manifest-signer';
const result = await signManifest({
originUrl: 'https://cdn.example.com/master.m3u8',
proxySecretHex: process.env.PROXY_SECRET_HEX!,
publicHost: 'https://manifest.domain.com',
});
console.log(result.url);Class (recommended for bulk signing)
Caches CryptoKeys per instance for fast repeated signing.
import { ManifestSigner } from '@ralalabs/manifest-signer';
const signer = new ManifestSigner(process.env.PROXY_SECRET_HEX!);
const signed = await signer.sign(
'https://cdn.example.com/master.m3u8',
'https://manifest.domain.com',
);
console.log(signed.url);API
signManifest(input)
| Field | Type | Required |
| -------------- | ----------------- | -------- |
| originUrl | string | yes |
| proxySecretHex | string (64hex) | yes |
| publicHost | string | yes |
| ext | 'mpd' \| 'm3u8' | optional |
Returns { url, sid, ext, originUrl }
new ManifestSigner(proxySecretHex)
sign(originUrl, publicHost, ext?)— fast path with cached keyssignManifest({ originUrl, publicHost, ext? })— object-style wrapper
Runtime compatibility
Node.js 18+, Browsers, Cloudflare Workers, Bun, Deno. Uses only standard WebCrypto API.
License
MIT
