Skip to main content
The BlindCast key server is a Docker image that handles everything your player and uploader need: derive content keys, authenticate viewers, manage leases, and generate presigned upload URLs.
Looking for the full server? The standalone key server documented here derives keys for any content ID you request. The BlindCast Server adds a content registry, API keys, an admin dashboard, and only derives keys for registered content. Use the full server for new deployments; use the standalone key server if you only need key derivation and manage content IDs yourself.

Quick start

docker run -d \
  -e MASTER_KEY_HEX=<your-master-key> \
  -e SALT_HEX=<your-salt> \
  -e CORS_ORIGINS=https://your-app.com \
  -p 4100:4100 \
  blindcast/keyserver
Generate a master key and salt with the CLI: 
blindcast keygen
# BLINDCAST_MASTER_KEY=a1b2c3...
# BLINDCAST_SALT=f6e5d4...

Endpoints

MethodPathDescription
GET/keys/:contentIdContent key (16 raw bytes)
GET/keys/:contentId/:epochEpoch key (for key rotation)
POST/keys/leasesCreate a lease
POST/keys/leases/renewRenew a lease
POST/presignGet a presigned S3 upload URL
GET/healthHealth check

What it does

  1. Key derivation: Derives per-content keys from the master key using HKDF-SHA-256
  2. Authentication: Validates JWTs before issuing keys (configurable via env vars)
  3. Leases: Time-limited access tokens that can be revoked server-side
  4. Presign: Generates presigned S3 URLs for the browser uploader

Configuration at a glance

Env varRequiredDescription
MASTER_KEY_HEXYesMaster key as hex (from blindcast keygen)
SALT_HEXYesSalt as hex (from blindcast keygen)
CORS_ORIGINSYesAllowed CORS origin(s)
AUTH_JWT_SECRETNoHS256 JWT secret for auth
AUTH_JWKS_URLNoJWKS URL for RS256/ES256 auth
ENABLE_PRESIGNNoEnable presign endpoint (true/false)
DATABASE_URLNoPostgres URL (default: SQLite at /data/blindcast.db)
See Configuration for the full reference.

Next steps