Access Revocation API v2

Create and manage revocation lists of Akamai Edge tokens to be revoked from accessing Adaptive Media Delivery (AMD) content.

Learn more:

Overview

If you use Adaptive Media Delivery (AMD), you can protect your content with Token Authentication. Use it to generate unique tokens that Akamai validates to grant access to your media. Use this API to generate a “revocation list” of specific tokens to block access requests that include them. You can set a time to live for this revocation period to automatically “unrevoke” these tokens, or you can manually remove them from a revocation list. The API also lets you review your revocation lists and access revocation settings.

Additions to this version

We’ve made these updates with version 2 of the API:

  • Increased the rate limiting for requests from 20 to 60 per minute.

  • Updated terminology to remove sensitive language.

Get started

Consider these points before configuring this API for the first time:

  • Work with your account representative to ensure your contract includes the AdaptiveMediaDelivery::AccessRevocation product.

  • You typically can’t use access revocation if you have a unique Token Authentication scenario. A unique scenario is one that’s set up by your account representative. It’s custom and outside the default scenarios you can define using settings in the Segmented Media Protection behavior. If you have a unique scenario, contact your account rep to see if you can use access revocation.

  • Review Get Started with APIs for details on how to set up client tokens to access any Akamai API. These tokens appear as custom hostnames that look like this: https://akzz-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX.luna.akamaiapis.net.

  • To enable this API, choose the API service named Token Authentication as a Service (TaaS), and set the access to READ-WRITE to perform all operations.

  • You can use the Access Revocation API in conjunction with the Property Manager API (PAPI). You can use PAPI to create or update an AMD property to enable Token Revocation, and then use this API to configure your Access Revocation revocation list. Akamai recommends using the Property Manager interface in Akamai Control Center to do this, and that’s what’s covered in this documentation.

Rate limiting

The Access Revocation API imposes a rate limiting constraint of 60 requests per minute to ensure even distribution of system resources. Exceeding the limit results in a 429 error response.

The API responds with these HTTP headers to provide context over how close it’s getting to the limit:

  • X-RateLimit-Limit: 60 requests per minute.

  • X-RateLimit-Remaining: Number of remaining requests allowed during the period.

  • X-RateLimit-Next: Once the X-RateLimit-Limit has been reached, this represents the time you can issue another individual request. The X-RateLimit-Remaining gradually increases and becomes equal to X-RateLimit-Limit again.

Concepts

Familiarize yourself with some of the common terms used in this API.

  • Revocation list. A revocation list provides a way to logically group token identifiers to block their use. For example, you could create a revocation list for a specific event to block specific tokens from accessing content. The revocation list resource also has properties describing its association with a contract. Revocation lists contain the identifiers collection.

  • Identifiers. This collection contains the token identifiers that you’ve included in a revocation list. The token identifier refers to the Session-Id set for the token in Property Manager. You can view this value by reviewing your AMD property in Property Manager—either using Control Center or PAPI.

  • Token. This refers to the session_id set when you define the access token for use with Token Authentication. The session_id serves as the token identifier referenced throughout this documentation.

  • Property. This refers to the Akamai Resource Locator (ARL) properties assigned to the AMD property that has Access Revocation enabled. These properties consist of the unique ARL file ID, the AMD property’s unique ID, and the AMD property’s name.

  • Metadata. In the context of this API, this refers to the current number of tokens named in a revocation list as well as the total number of tokens the revocation list can contain.

Sample usage: Add and enable a revocation list

This quick example shows how to create and apply all of the components used in a revocation list, so you can revoke tokens.

  1. Generate a token and apply it to your content. Extract the token’s session_id value for use later in this process.

  2. Add a revocation list to establish a new revocation list. Make note of the name set for the revocation list.

  3. Create a new AMD property, or access an existing one in Property Manager on Control Center.

  4. Ensure you add the Segmented Media Protection behavior to an applicable rule. Enable Advanced Options and set the Session-Id slider to On.

  5. Set the Token Revocation slider to On.

  6. In the Revocation List Name drop-down, select the revocation list you created with the API.

  7. Save the AMD property and activate it on the production network to start delivering your media.

  8. Revoke tokens to add one or more offending tokens to the revocation list. This blocks requests that include them from access.

Resources

This section provides details on the API’s various operations.

API summary

Download the RAML descriptors for this API.

Operation Method Endpoint
List revocation lists GET /taas/v2/revocation-lists
Add a revocation list POST /taas/v2/revocation-lists
Delete a revocation list DELETE /taas/v2/revocation-lists/{revocation-listId}
List revocation list ARL properties GET /taas/v2/revocation-lists/{revocation-listId}/properties
Get revocation list identifier count information GET /taas/v2/revocation-lists/{revocation-listId}/meta
List identifiers GET /taas/v2/revocation-lists/{revocation-listId}/identifiers
Revoke tokens POST /taas/v2/revocation-lists/{revocation-listId}/identifiers/add
Unrevoke tokens POST /taas/v2/revocation-lists/{revocation-listId}/identifiers/remove
Get an identifier GET /taas/v2/revocation-lists/{revocation-listId}/identifiers/{tokenId}

List revocation lists

Get a list of all revocation lists.

GET /taas/v2/revocation-lists

Status 200 application/json

Object type: Revocation-list

Download schema: getRevocation-lists-200.json

Response body:

[
    {
        "id": 1,
        "name": "customer-revocation-list1",
        "contractId": "1-ABCDE",
        "createdTime": 1569238487,
        "createdBy": "ccare2"
    },
    {
        "id": 2,
        "name": "customer-revocation-list2",
        "contractId": "2-BCDE",
        "createdBy": "ccare2",
        "createdTime": 1569238504
    }
]

Add a revocation list

Add a new list to house token identifiers that you want revoked from access. Currently, you can only have a single revocation list. There isn’t an operation that lets you modify these settings for a revocation list, so be sure you provide the proper details when adding. However, you can revoke or unrevoke token identifiers from this revocation list, as necessary.

POST /taas/v2/revocation-lists

Content-Type: application/json

Object type: Revocation-list

Download schema: addRevocation-listParams.json

Request body:

{
    "name": "Baseball-ws-2019",
    "contractId": "1-ABCDE"
}

Status 202 application/json

Object type: Revocation-list

Download schema: addRevocation-listResponse-202.json

Response body:

{
    "id": 1,
    "name": "Baseball-ws-2019",
    "contractId": "1-ABCDE"
}

  1. If necessary, work with your account representative to obtain the Akamai contractId assigned to your instance of Access Revocation.

  2. Build a new Revocation List object. Include a unique name for the revocation list and also include your applicable contractId.

  3. POST the object to /taas/v2/revocation-lists.

  4. The operation responds with a revocation list object. Store the id value from the response. This is the revocation-listId used in several other operations.

  5. Revoke tokens to add token identifiers to the revocation-list.

Delete a revocation list

Delete a specific revocation list. This removes support for Access Revocation in any AMD property that may have this revocation list currently selected for use.

DELETE /taas/v2/revocation-lists/{revocation-listId}

Sample: /taas/v2/revocation-lists/120964235098767

Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.

Status 204

List revocation list ARL properties

Get a list of Property Manager-specific information for each AMD property that uses this revocation list.

GET /taas/v2/revocation-lists/{revocation-listId}/properties

Sample: /taas/v2/revocation-lists/120964235098767/properties

Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.

Status 200 application/json

Object type: Property

Download schema: getRevocation-listARLProperties-200.json

Response body:

[
    {
        "arlFileId": 12345,
        "propertyId": 3456789,
        "propertyName": "customer-foo.com"
    },
    {
        "arlFileId": 56789,
        "propertyId": 12345678,
        "propertyName": "customer-bar.com"
    }
]

  1. List revocation lists and store the appropriate revocation list’s id as a revocation-listId parameter.

  2. Make a GET request to /taas/v2/revocation-lists/{revocation-listId}/properties.

  3. Review the list of the Property objects returned.

Get revocation list identifier count information

Get the current count and maximum number of identifiers allowed in the revocation list.

GET /taas/v2/revocation-lists/{revocation-listId}/meta

Sample: /taas/v2/revocation-lists/120964235098767/meta

Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.

Status 200 application/json

Object type: Metadata

Download schema: metaInfo.json

Response body:

{
    "count": 500,
    "limit": 25000
}

  1. List revocation lists and store the appropriate revocation list’s id as a revocation-listId parameter.

  2. Make a GET request to /taas/v2/revocation-lists/{revocation-listId}/meta.

  3. Review the list of Metadata objects that’s returned.

List identifiers

List all of the identifiers that belong to a specific revocation list so you can review their details.

GET /taas/v2/revocation-lists/{revocation-listId}/identifiers

Sample: /taas/v2/revocation-lists/120964235098767/identifiers

Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.

Status 200 application/json

Object type: Identifier

Download schema: getIdentifiers-200.json

Response body:

[
    {
        "id": "sqwoieksjbsdf3455",
        "ttl": 86400
    },
    {
        "id": "9082349u534589824",
        "ttl": 21600
    },
    {
        "id": "68sd899ff09sdf8787",
        "ttl": 25200
    }
]

  1. List revocation lists and store the appropriate revocation list’s id as a revocation-listId parameter.

  2. Make a GET request to /taas/v2/revocation-lists/{revocation-listId}/identifiers.

  3. Review the list of Identifier objects that’s returned.

Revoke tokens

Add a set of token identifiers to a revocation list to revoke them.

POST /taas/v2/revocation-lists/{revocation-listId}/identifiers/add

Sample: /taas/v2/revocation-lists/120964235098767/identifiers/add

Content-Type: application/json

Object type: Identifier

Download schema: addIdentifiersParams.json

Request body:

[
    {
        "id": "sdasd345466dg",
        "durationSeconds": 18000
    },
    {
        "id": "utrfhasdf8990",
        "durationSeconds": 3600
    }
]
Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.

Status 200 application/json

Object type: Metadata

Download schema: metaInfo.json

Response body:

{
    "count": 500,
    "limit": 25000
}

  1. List revocation lists and store the appropriate revocation list’s id as a revocation-listId parameter.

  2. Obtain the session_id from the access token that you’ve configured to support Token Authentication. This value serves as the token identifier id. See the AMD Implementation Guide for Token Authentication instructions.

  3. Build a new Identifier array. Add an object for each token you want revoked. Include the identifier id for each, and optionally include the durationSeconds member to set a time to live for the revocation. Adding many identifier objects to revoke many tokens lets you bulk update in a single operation.

  4. POST the object to /taas/v2/revocation-lists/{revocation-listId}/identifiers/add.

The operation responds with the Metadata object that shows the current count of token identifiers in the revocation list and the maximum number of identifiers it can house.

Unrevoke tokens

Remove token identifiers from a revocation list.

POST /taas/v2/revocation-lists/{revocation-listId}/identifiers/remove

Sample: /taas/v2/revocation-lists/120964235098767/identifiers/remove

Content-Type: application/json

Object type: Identifier

Download schema: removeIdentifiersParams.json

Request body:

[
    "sqwoieksjbsdf3455",
    "9082349u534589824",
    "68sd899ff09sdf8787"
]
Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.

Status 200 application/json

Object type: Metadata

Download schema: metaInfo.json

Response body:

{
    "count": 500,
    "limit": 25000
}

  1. List revocation lists and store the id for the revocation list you want to unrevoke tokens. Store this as the revocation-listId request parameter.

  2. Obtain the session_id from the access tokens that you want to unrevoke. This value serves as the token identifier id. Token Authentication is described in the AMD Implementation Guide.

  3. Build a new Identifier object. Include the identifier id for each token identifier, and separate multiple entries with a comma.

  4. POST the object to /taas/v2/revocation-lists/{revocation-listId}/identifiers/remove.

The operation responds with the Metadata object that shows the current count of token identifiers in the revocation list and the maximum number of identifiers it can house.

Get an identifier

Get a specific identifier that belongs to a revocation list and review its details.

GET /taas/v2/revocation-lists/{revocation-listId}/identifiers/{tokenId}

Sample: /taas/v2/revocation-lists/120964235098767/identifiers/sqwoieksjbsdf3455

Parameter Type Sample Description
URL path parameters
revocation-listId Number 120964235098767 Uniquely identifies each revocation list. This corresponds to the revocation list object’s id member.
tokenId String sqwoieksjbsdf3455 The token identifier portion of the complete Akamai token. A token identifier can contain a maximum of 36 alphanumeric characters, hyphens, or underscores.

Status 200 application/json

Object type: Identifier

Download schema: getIdentifier-200.json

Response body:

{
    "id": "sqwoieksjbsdf3455",
    "ttl": 86400
}

  1. List revocation lists and store the appropriate revocation list’s id as a revocation-listId parameter.

  2. List identifiers and store the id for the desired token identifier.

  3. Make a GET request to /taas/v2/revocation-lists/{revocation-listId}/identifiers/{tokenId}.

  4. Review the specific Identifier object that’s returned.

Data

Download the JSON schemas for this API.

This section’s data schema tables list membership requirements as follows:

Member is required in requests, or always present in responses, even if its value is empty or null.
Member is out of scope, and irrelevant to the specified interaction context. If you include the member in that context, it either triggers an error, or is ignored.

Revocation-list

Parameters assigned to a revocation list during its creation.

Download schema: addRevocation-listParams.json, getRevocation-lists-200.json

Sample GET response:

[
    {
        "id": 1,
        "name": "customer-revocation-list1",
        "contractId": "1-ABCDE",
        "createdTime": 1569238487,
        "createdBy": "ccare2"
    },
    {
        "id": 2,
        "name": "customer-revocation-list2",
        "contractId": "2-BCDE",
        "createdBy": "ccare2",
        "createdTime": 1569238504
    }
]

Revocation-list members

Member Type Required Description
Revocation-list: Parameters assigned to a revocation list during its creation.
contractId String The Akamai-assigned contract ID for your instance of Access Revocation.
createdBy String The Control Center login ID used to create the revocation list.
createdTime Integer The Unix epoch time when the revocation list was created.
id Integer A unique numeric identifier assigned to a revocation list.
name String A friendly name for the revocation list. The name can only contain alphanumeric and dash characters.

Property

A list of Akamai resource locator (ARL) file information for each AMD property that uses a revocation list.

Download schema: getRevocation-listARLProperties-200.json

Sample GET response:

[
    {
        "arlFileId": 12345,
        "propertyId": 3456789,
        "propertyName": "customer-foo.com"
    },
    {
        "arlFileId": 56789,
        "propertyId": 12345678,
        "propertyName": "customer-bar.com"
    }
]

Property members

Member Type Description
Property: A list of Akamai resource locator (ARL) file information for each AMD property that uses a revocation list.
arlFileId Integer The unique ARL file identifier assigned to the AMD property that has access revocation enabled.
propertyId Integer The unique property ID assigned to the AMD property.
propertyName String The property name set for the AMD property.

Metadata

The current count of token identifiers in a revocation list and the maximum number of identifiers it can house.

Download schema: metaInfo.json

Sample GET response:

{
    "count": 500,
    "limit": 25000
}

Metadata members

Member Type Description
Metadata: The current count of token identifiers in a revocation list and the maximum number of identifiers it can house.
count Integer The total number of token identifiers in the revocation list .
limit Integer The maximum number of token identifiers that you can add to the revocation list .

Identifier

A list of all token authentication tokens, and the parameters set for each.

Download schema: getIdentifiers-200.json

Sample GET response:

[
    {
        "id": "sqwoieksjbsdf3455",
        "ttl": 86400
    },
    {
        "id": "9082349u534589824",
        "ttl": 21600
    },
    {
        "id": "68sd899ff09sdf8787",
        "ttl": 25200
    }
]

Identifier members

Member Type Description
Identifier: A list of all token authentication tokens, and the parameters set for each.
id String The unique identifier assigned to the token.
ttl Integer The time to live (TTL) for the revocation list, in seconds. After this time elapses, Akamai removes this token from the revocation list.

Errors

This section provides details on the data object that reflects the API’s common response to error cases, and lists the API’s range of response status codes for both error and success cases.

Error responses

When the API encounters an error, it responds with an error code and an error message that provides details that can be useful for debugging.

This shows a typical error response when you try to access a non-existent revocation-listId.

{
  "type": "resource-not-found",
  "title": "Resource Not Found",
  "instance": "0a037412-6aac-4c7f-9e45-b29fb874db86",
  "status": 404,
  "detail": "Resource Not Found (details=[No revocation list exists with given ID 123.])"
}

HTTP status codes

The API produces this set of HTTP status codes for both success and failure scenarios:

Code Description
200 The operation was successful.
202 Accepted.
204 No content.
400 Bad Request.
403 Access is forbidden.
404 Not Found.
500 Internal Server Error.