Authenticating with Skylark to build integrations, automation scripts, modify data via the API, and request viewable URLs

You will need to authenticate with Skylark via Cognito in order to perform certain tasks like modifying data (all POST, PATCH, PUT, and DELETE requests), and certain GET requests, such as those that aren't used to display content in your streaming service.

Viewings are a record and authorization of a single content playback or download, and also require authentication. They are typically issued when a play or download button is pressed. To request a viewing, you should proxy a POST request to our /viewings endpoint for the desired asset, after checking that the user that is authenticated with you is entitled to watch the asset.

After authenticating via Cognito, you can pass the ID TOKEN as the Authorization header in the request.

Authorization: Bearer <<id token>>

Authenticating via Cognito

Skylark supports SRP based authentication with Cognito. This avoids sending the password across the network and is hence more secure. The client application should invoke the InitialAuth operation of Cognito passing the user name and SRP details. Cognito returns authentication parameters in the response. The client should then call the RespondToAuthChallenge. If this succeeds, Cognito will return the user’s JWT tokens. The ID token can then be used to call any Skylark API by passing it as an Authorization header. Please note that the token is only valid for an hour and will need to be renewed either by initiating the SRP authentication flow again or using refresh token-based authentication.

Here are some sample codes that can be used to interact with Cognito. The Cognito user pool id and client id will be shared by your customer success representative.

import Amplify from "@aws-amplify/core";
import Auth from "@aws-amplify/auth";

const config = {
    Auth: {
      region: "", // SKYLARK DEPLOYMENT REGION
      userPoolId: "", // SKYLARK COGNITO USER POOL ID
      userPoolWebClientId: "", // SKYLARK COGNITO CLIENT ID
      authenticationFlowType: "USER_SRP_AUTH",
    // Use cookieStorage to store tokens in Cookies rather than Local Storage in the browser
    // Optional, remove if not in browser
    cookieStorage: {
      domain: "", // DOMAIN OF YOUR WEBAPP
      path: "/",
      expires: 365,
      sameSite: "strict",
      secure: true,


// Sign in
const signIn = (email, password) => Auth.signIn(email, password);

// Get ID token for signed in user (Used in requests to Skylark)
export const getIdToken = async () => {
  // currentSession will automatically refresh the idToken
  const session = await Auth.currentSession();
  const token = session.getIdToken().getJwtToken();
  return token;
from pycognito.utils import RequestsSrpAuth, TokenType
import requests
from urllib.parse import urljoin

SKYLARK_API_URL = 'https://api.<skylark env>.<account name>'

# get auth token
auth = RequestsSrpAuth(
    username='<<user email>>',
    password='some password',
    user_pool_id='<<Cognito user pool id>>',
    client_id='<<Cognito client id>>',
    auth_token_type=TokenType.ID_TOKEN,  # we need the ID TOKEN

# call Skylark API using auth token
response = requests.get(urljoin(SKYLARK_API_URL, '/api/asset-types/'), auth=auth)


External OVP Authentication Setup and Configuration

The technical playback attributes of an Asset are stored in the ovps attribute, and modified using the Asset API. Each key-value pair is associated with with an Account.

The required OVP attributes will depend on the configured OVP and content protection in use, and may include base stream URL, content identifiers, or the locations of encrypted assets. This information is used to generate the required authorization when Viewings are created.

Note on Cache Control Headers

If a client header contains Cache Control - no-cache, the request must provide an Authorisation header.

If there is no authorisation header included in the request, Skylark will return a 401 error code.