# BlindCast

## Docs

- [blindcast encrypt](https://docs.blindcast.dev/cli/encrypt.md): Encrypt HLS segments with AES-128-CBC and rewrite the manifest with EXT-X-KEY tags pointing at your key server.
- [blindcast init](https://docs.blindcast.dev/cli/init.md): Create a sample project with pre-generated HLS segments, a player page, and configuration files. No FFmpeg required.
- [blindcast keygen](https://docs.blindcast.dev/cli/keygen.md): Generate a master key and salt for encrypting video content. Store these securely — losing them means losing access to all encrypted content.
- [CLI Overview](https://docs.blindcast.dev/cli/overview.md): One command-line tool for everything server-side: generate keys, encrypt HLS segments, upload to S3, and run a local dev key server.
- [blindcast serve](https://docs.blindcast.dev/cli/serve.md): Start a local development key server for testing encrypted HLS playback. Not for production — use the Docker key server instead.
- [blindcast upload](https://docs.blindcast.dev/cli/upload.md): Upload encrypted HLS segments and manifest to S3-compatible storage with concurrent uploads and progress reporting.
- [Installation](https://docs.blindcast.dev/getting-started/installation.md): Install BlindCast tools based on what you need: player for playback, CLI for encryption and upload, uploader for browser uploads, or the Docker key server for production.
- [Migrating from Package Imports](https://docs.blindcast.dev/getting-started/migration.md): If you previously used @blindcast/crypto, @blindcast/keys, @blindcast/storage, or @blindcast/player directly, here's how to map those to the new deliverables.
- [Quick Start](https://docs.blindcast.dev/getting-started/quick-start.md): See encrypted HLS playback in ~10 minutes. Generate keys, encrypt sample video, start a local key server, and play it back in the browser.
- [Architecture Overview](https://docs.blindcast.dev/introduction/architecture-overview.md): End-to-end data flow for BlindCast: the upload path (encrypt-then-store), the playback path (fetch-then-decrypt), and the key hierarchy that connects them.
- [What is BlindCast?](https://docs.blindcast.dev/introduction/what-is-blindcast.md): BlindCast is a drop-in zero-knowledge video platform. Unlike standard HLS encryption where your server holds the keys, BlindCast encrypts on the client and your infrastructure never sees plaintext.
- [Zero-Knowledge Explained](https://docs.blindcast.dev/introduction/zero-knowledge-explained.md): What 'zero-knowledge' means in the context of BlindCast: the server stores only opaque encrypted bytes and never has access to your video content.
- [Configuration](https://docs.blindcast.dev/key-server/configuration.md): Configure the key server with environment variables: master key, authentication, CORS, presign, and database.
- [Database](https://docs.blindcast.dev/key-server/database.md): SQLite by default for development, Postgres for production. The database stores lease state — keys are derived, not stored.
- [Leases & Revocation](https://docs.blindcast.dev/key-server/leases.md): Time-limited leases let you revoke a viewer's access without re-encrypting content. Configure lease TTL, revoke by viewer or lease ID.
- [Key Server Overview](https://docs.blindcast.dev/key-server/overview.md): Reference key server as a Docker image. Pull, configure, and run — handles key derivation, authentication, leases, and presigned URLs.
- [Presign Endpoint](https://docs.blindcast.dev/key-server/presign.md): Bundled presign endpoint for browser-side uploads. Enable with ENABLE_PRESIGN=true and S3 credentials.
- [API Reference](https://docs.blindcast.dev/player/api-reference.md): Complete reference for createPlayer, PlayerOpts, BlindcastPlayer, events, metrics, and error codes.
- [Authentication](https://docs.blindcast.dev/player/authentication.md): Provide auth tokens for key server requests using the keyServerAuth callback. Called before every key fetch.
- [Basic Usage](https://docs.blindcast.dev/player/basic-usage.md): Create a player, load a manifest, listen to events, read metrics, and clean up when done.
- [Lease-Based Revocation](https://docs.blindcast.dev/player/leases.md): Revoke a viewer's access without re-encrypting content using time-limited leases that the player renews automatically.
- [Player Overview](https://docs.blindcast.dev/player/overview.md): Drop-in encrypted HLS playback for any web app. Single import, attach to a video element, point at your key server — 10 lines of code.
- [CDN Configuration](https://docs.blindcast.dev/production/cdn.md): Set up CloudFront or Cloudflare to serve encrypted HLS segments with correct CORS headers and cache policies.
- [Production Checklist](https://docs.blindcast.dev/production/checklist.md): Everything to verify before deploying BlindCast to production: auth, CORS, secrets, TLS, rate limiting, and backups.
- [Key Rotation](https://docs.blindcast.dev/production/key-rotation.md): Rotate master keys without downtime: dual-key deployment, re-encryption with the CLI, and safe key removal.
- [Monitoring](https://docs.blindcast.dev/production/monitoring.md): What to monitor in production: player metrics, key server latency, lease activity, and infrastructure health.
- [Error Codes](https://docs.blindcast.dev/reference/error-codes.md): Complete reference for all error codes returned by BlindCast packages. Every error has a code, human-readable message, and suggested remediation.
- [Result Type Pattern](https://docs.blindcast.dev/reference/result-type-pattern.md): How BlindCast uses Result discriminated unions instead of thrown exceptions. Covers the three main consumption patterns with TypeScript narrowing examples.
- [Admin Dashboard](https://docs.blindcast.dev/server/admin-dashboard.md): Built-in browser UI for managing BlindCast Server — setup wizard, content management, API key management, and server info.
- [API Keys](https://docs.blindcast.dev/server/api-keys.md): Manage API keys for the BlindCast Server — scopes, bootstrap key, creation, listing, and revocation.
- [Content API](https://docs.blindcast.dev/server/content-api.md): REST API reference for managing content in BlindCast Server — register, list, update, delete, and get presigned upload URLs.
- [Docker Setup](https://docs.blindcast.dev/server/docker.md): Run BlindCast Server with Docker Compose — Postgres, MinIO (S3), and the server in a single stack. Bring your own database or storage.
- [Server Overview](https://docs.blindcast.dev/server/overview.md): Drop-in Docker server for BlindCast — content registry, API keys, key derivation, presigned uploads, and an admin dashboard in a single container.
- [Reverse Proxy](https://docs.blindcast.dev/server/reverse-proxy.md): Run BlindCast behind nginx, Caddy, or a cloud load balancer — with TLS termination, admin dashboard protection, and rate limiting.
- [AWS Lambda](https://docs.blindcast.dev/serverless/aws-lambda.md): Deploy the BlindCast key server as an AWS Lambda function behind API Gateway HTTP API.
- [Cloudflare Workers](https://docs.blindcast.dev/serverless/cloudflare-workers.md): Deploy the key server to Cloudflare Workers for global edge latency. Uses the standard Fetch API — no Docker, no Express.
- [API Reference](https://docs.blindcast.dev/uploader/api-reference.md): Complete reference for upload(), UploadOptions, UploadResult, SegmentInput, and error codes.
- [Basic Usage](https://docs.blindcast.dev/uploader/basic-usage.md): Upload encrypted video with a single upload() call — handles key fetch, encryption, presign, and manifest rewrite. Includes playback verification.
- [Uploader Overview](https://docs.blindcast.dev/uploader/overview.md): Browser-side encrypted upload SDK. Encrypt pre-segmented HLS content in the browser and upload to S3 via presigned URLs with a single function call.
- [Progress & Abort](https://docs.blindcast.dev/uploader/progress-and-abort.md): Track upload progress with the onProgress callback and cancel in-flight uploads with AbortController.

## OpenAPI Specs

- [openapi](https://docs.blindcast.dev/api-reference/openapi.json)