Skip to main content
blindcast serve starts a local key server on port 4100 for development and testing. It derives content keys from your master key and serves them to the player — no Docker, no database, no auth.

Usage

blindcast serve [flags]

Example

blindcast serve

BlindCast key server running on http://localhost:4100

Endpoints:
  GET /keys/:contentId          → content key (16 raw bytes)
  GET /keys/:contentId/:epoch   → epoch key (for key rotation)
  GET /health                   → health check

Master key: loaded from $BLINDCAST_MASTER_KEY
Salt:        loaded from $BLINDCAST_SALT
CORS:        * (all origins)
Auth:        disabled (development mode)

Flags

FlagDefaultDescription
--port <n>4100Port to listen on
--key <hex>$BLINDCAST_MASTER_KEYMaster key as hex string
--salt <hex>$BLINDCAST_SALTSalt as hex string
--cors <origin>*CORS allowed origin

How it works

When the player requests GET /keys/my-video-001, the server:
  1. Reads the master key and salt from env vars or flags
  2. Derives the content key using HKDF-SHA-256 with my-video-001 as the info parameter
  3. Returns 16 raw bytes (application/octet-stream)
The player uses this key to decrypt segments fetched from your CDN or local server.
blindcast serve is for local development only. It runs with no authentication and CORS *. Never expose it to the internet. Use the Docker Key Server for production.

Development vs. production

blindcast serve is designed for local development:
blindcast serveDocker Key Server
AuthNoneJWT via env vars
CORS* (all origins)Configurable per-origin
LeasesNot supportedSQLite or Postgres-backed
PresignNot includedBundled (opt-in)
PersistenceIn-memory onlyDatabase-backed
When you’re ready for production, switch to the Docker Key Server.