Skip to main content
The BlindCast Server is a complete backend for encrypted video — register content, manage API keys, derive content keys, generate presigned upload URLs, and administer everything from a built-in dashboard.

What it includes

FeatureDescription
Content registryPostgres-backed content CRUD with status management
API key authSHA-256 hashed keys with scopes (admin, full, upload, playback)
Key derivationHKDF-SHA-256 content keys — only for registered, active content
Presigned uploadsS3-compatible presigned PUT URLs scoped to content
Viewer authHS256 or JWKS JWT verification for key endpoints
LeasesTime-limited, revocable access tokens
Admin dashboardReact SPA at /admin with first-launch setup wizard

Quick start

# 1. Generate keys
openssl rand -hex 32  # → MASTER_KEY_HEX
openssl rand -hex 32  # → SALT_HEX

# 2. Start everything
cd packages/server
MASTER_KEY_HEX=<your-key> SALT_HEX=<your-salt> docker compose up -d

# 3. Open the dashboard
open http://localhost:4100/admin
The first visit to the dashboard triggers a setup wizard that creates your first admin API key.

Architecture

The server composes existing BlindCast packages:
  • @blindcast/keys/express — key derivation router mounted at /keys
  • @blindcast/storage/presign-server — presigned URL generation
  • Content registry — Postgres-backed content + API key stores
  • Admin SPA — static React + Tailwind files served at /admin

Endpoints

MethodPathAuthDescription
GET/healthNoneHealth check
GET/keys/:contentIdJWT (optional)Derive content key
POST/api/v1/contentAPI keyRegister content
GET/api/v1/contentAPI keyList content
GET/api/v1/content/:idAPI keyGet content details
PATCH/api/v1/content/:idAPI keyUpdate content
DELETE/api/v1/content/:idAPI keySoft-delete content
POST/api/v1/content/:id/presignAPI keyGet presigned upload URLs
POST/api/v1/api-keysAPI key (admin)Create API key
GET/api/v1/api-keysAPI key (admin)List API keys
DELETE/api/v1/api-keys/:idAPI key (admin)Revoke API key
POST/api/v1/setupNone (first run only)Create initial admin key

Key validation

The server only derives keys for registered, active content. If a viewer requests a key for an unregistered or disabled content ID, the key server returns 404. This prevents key derivation for arbitrary content IDs.

Next steps