> ## Documentation Index
> Fetch the complete documentation index at: https://docs.blindcast.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Provide auth tokens for key server requests using the keyServerAuth callback. Called before every key fetch.

If your key server requires authentication, provide the `keyServerAuth` callback. The player calls it before every key request and attaches the returned token as a `Bearer` header.

## Basic setup

```typescript theme={null}
import { createPlayer } from "@blindcast/player"

const result = createPlayer(videoEl, {
  keyServerUrl: "https://keys.example.com/keys",
  keyServerAuth: async () => {
    // Return the raw token — the player prepends "Bearer "
    return getAccessToken() // e.g., "eyJhbGciOiJIUzI1NiI..."
  },
})
```

The callback is `async`, so you can fetch or refresh tokens before returning:

```typescript theme={null}
keyServerAuth: async () => {
  if (isTokenExpired(currentToken)) {
    currentToken = await refreshToken()
  }
  return currentToken
}
```

## How it works

1. The player encounters an `EXT-X-KEY` tag in the manifest
2. Before fetching the key, it calls your `keyServerAuth()` function
3. The returned string is sent as `Authorization: Bearer <token>`
4. If the key server returns 401 or 403, the player emits a `KEY_AUTH_FAILED` error

## Error handling

```typescript theme={null}
player.on("error", (err) => {
  if (err.code === "KEY_AUTH_FAILED") {
    // Token is invalid or expired — prompt re-login
    redirectToLogin()
  }
})
```

<Warning>
  Never log the token returned by `keyServerAuth`. The player does not include tokens in error messages or metrics.
</Warning>
