Skip to main content
The BlindCast key server is a Docker image that handles everything your player and uploader need: derive content keys, authenticate viewers, manage leases, and generate presigned upload URLs.

Quick start

docker run -d \
  -e MASTER_KEY_HEX=<your-master-key> \
  -e SALT_HEX=<your-salt> \
  -e CORS_ORIGINS=https://your-app.com \
  -p 4100:4100 \
  blindcast/keyserver
Generate a master key and salt with the CLI: 
blindcast keygen
# BLINDCAST_MASTER_KEY=a1b2c3...
# BLINDCAST_SALT=f6e5d4...

Endpoints

MethodPathDescription
GET/keys/:contentIdContent key (16 raw bytes)
GET/keys/:contentId/:epochEpoch key (for key rotation)
POST/keys/leasesCreate a lease
POST/keys/leases/renewRenew a lease
POST/presignGet a presigned S3 upload URL
GET/healthHealth check

What it does

  1. Key derivation: Derives per-content keys from the master key using HKDF-SHA-256
  2. Authentication: Validates JWTs before issuing keys (configurable via env vars)
  3. Leases: Time-limited access tokens that can be revoked server-side
  4. Presign: Generates presigned S3 URLs for the browser uploader

Configuration at a glance

Env varRequiredDescription
MASTER_KEY_HEXYesMaster key as hex (from blindcast keygen)
SALT_HEXYesSalt as hex (from blindcast keygen)
CORS_ORIGINSYesAllowed CORS origin(s)
AUTH_JWT_SECRETNoHS256 JWT secret for auth
AUTH_JWKS_URLNoJWKS URL for RS256/ES256 auth
ENABLE_PRESIGNNoEnable presign endpoint (true/false)
DATABASE_URLNoPostgres URL (default: SQLite at /data/blindcast.db)
See Configuration for the full reference.

Next steps