> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blindcast.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# blindcast serve

> Start a local development key server for testing encrypted HLS playback. Not for production — use the Docker key server instead.

`blindcast serve` starts a local key server on port 4100 for development and testing. It derives content keys from your master key and serves them to the player — no Docker, no database, no auth.

## Usage

```bash theme={null}
blindcast serve [flags]
```

## Example

```bash theme={null}
blindcast serve
```

```
BlindCast key server running on http://localhost:4100

Endpoints:
  GET /keys/:contentId          → content key (16 raw bytes)
  GET /keys/:contentId/:epoch   → epoch key (for key rotation)
  GET /health                   → health check

Master key: loaded from $BLINDCAST_MASTER_KEY
Salt:        loaded from $BLINDCAST_SALT
CORS:        * (all origins)
Auth:        disabled (development mode)
```

## Flags

| Flag              | Default                 | Description              |
| ----------------- | ----------------------- | ------------------------ |
| `--port <n>`      | `4100`                  | Port to listen on        |
| `--key <hex>`     | `$BLINDCAST_MASTER_KEY` | Master key as hex string |
| `--salt <hex>`    | `$BLINDCAST_SALT`       | Salt as hex string       |
| `--cors <origin>` | `*`                     | CORS allowed origin      |

## How it works

When the player requests `GET /keys/my-video-001`, the server:

1. Reads the master key and salt from env vars or flags
2. Derives the content key using HKDF-SHA-256 with `my-video-001` as the info parameter
3. Returns 16 raw bytes (`application/octet-stream`)

The player uses this key to decrypt segments fetched from your CDN or local server.

<Warning>
  `blindcast serve` is for local development only. It runs with no authentication and CORS `*`. Never expose it to the internet. Use the [Docker Key Server](/key-server/overview) for production.
</Warning>

## Development vs. production

`blindcast serve` is designed for local development:

|             | `blindcast serve` | [Docker Key Server](/key-server/overview) |
| ----------- | ----------------- | ----------------------------------------- |
| Auth        | None              | JWT via env vars                          |
| CORS        | `*` (all origins) | Configurable per-origin                   |
| Leases      | Not supported     | SQLite or Postgres-backed                 |
| Presign     | Not included      | Bundled (opt-in)                          |
| Persistence | In-memory only    | Database-backed                           |

When you're ready for production, switch to the [Docker Key Server](/key-server/overview).
