VIDIZMO API, in general, uses several security measures to ensure data security and privacy. Almost all of these security measures apply to all types of API available with VIDIZMO.
Every API call that you make from application either web based, desktop or a service, is authenticated with credentials provided during Login API call. This is true for Widgets API, VIDIZMO JS as well as Web API. However for VIDIZMO REST, a different authentication/authorization protocol, called oAuth 2.0 is used, which encapsulates both authentication as well as authorization (discussed later). oAuth can be used for Web API as well, and is the only authentication option available when calling client is using Web API and is a service or a desktop application. oAuth is an industry backed protocol that is being used in many Enterprise as well as public websites and endorsed by giants such as Facebook, Twitter, Google, Microsoft etc.
It is important to note that oAuth is a more advanced security protocol and therefore is recommended by VIDIZMO. However, because oAuth is more complex to implement compared to Login API call and since Widgets and VIDIZMO JS API are all about quick integration, oAuth is not an available option with them.
Like authentication, every API call made, either its Widgets API, VIDIZMO JS or Web API is run under a User Context. This Context determines rights available to the caller (whether it’s an actual user providing credentials and using application that in turn uses API or a proxy Login id used by an application). For example if calling application calls to retrieve videos without Logging in, Context set is of anonymous user, and therefore based on settings of Channel and videos in it, only videos available to anonymous user are returned back. On the other hand, if logged in with a user before making such API call, videos accessible by that user would be returned. Similarly application can only upload and publish video in a channel if Context has Uploading and Publishing rights for that channel.
Although API calls can be made on unsecure URL using HTTP, however it’s not a recommended option. VIDIZMO APIs support HTTPS which must be used irrespective of type of API used or nature of calling application. Using HTTPS ensure all data transmitted over the wire is secure since it is encrypted on one end and decrypted on the other. When using HTTPS, Connection is established over TLS 1.0 or SSL 3.0, while message authentication is done using SHA1 and RSA is used for key exchange mechanism. Connection is encrypted using 128 bit AES CBC encryption (256 bit also available).
Customers using VIDIZMO get a private space called Account to interact to. Under Account they can create Channels and load videos in it for sharing. An application using VIDIZMO API either operates in Context of main Account (including all of its sub-channels) or a select Channel only. In any case, VIDIZMO API allows customers to protect their content by only allowing or blocking API calls for their Account or a specific Channel from select Domain(s) or IP(s). This puts them in complete control over who and
what can programmatically access their content and therefore adds another level of protection in case a security compromise does happen.
VIDIZMO provides multiple level of Roles that can be pre-configured for a caller application. This allows even further control over who can access what. With this API Security feature, one application using VIDIZMO API against an Account can have different security level access and authority than another application using API against the same Account. For example in a scenario where there are two web portals, one for Partners and another one for internal Employee, Employee portal may be given permission to upload content as well as Comment on videos, while for Partners portal only viewing permission may be given and rest taken away. This feature allows numerous possibilities when it comes to security.
Content Level Rights
VIDIZMO not only allows access and rights settings on functions performed but also provides content level protection. A video uploaded can be shared with Anonymous users, Account users, a select Channel or select users. VIDIZMO API, like the application itself, adheres to these content level access rights in all API calls.