Authentication overview

Catch The Show provides authentication mechanisms to secure access to its suite of APIs, including the Live API, Video On Demand API, and Interactive Video API. These mechanisms ensure that only authorized applications and users can interact with your video streams, content, and platform resources. The primary approach involves a combination of API keys for server-side requests and access tokens for client-side operations, aligning with common practices for secure API access in distributed systems Google Cloud API key best practices. All API communication with Catch The Show is encrypted using HTTPS/TLS, providing a secure channel for transmitting sensitive data, including authentication credentials.

Developers integrate authentication directly into their applications using Catch The Show's client libraries (SDKs) available for JavaScript, Python, Go, and Ruby, or by making direct HTTP requests. The choice of method depends on the application's architecture and the context of the API call—whether it originates from a trusted backend server or a client-side environment like a web browser or mobile application.

Supported authentication methods

Catch The Show supports distinct authentication methods tailored to different operational contexts, enhancing security by separating server-to-server and client-to-server interactions. Understanding when to apply each method is crucial for designing a secure and functional integration.

Method When to Use Security Level
API Key (Secret Key) Server-side API calls (e.g., creating live streams, managing VOD assets, user management). These keys grant broad access and must be kept confidential. High – Requires secure storage and transmission.
Access Token (Client-side Token) Client-side API calls (e.g., joining a live stream, interacting with video players, fetching public video metadata). These tokens are often short-lived and scoped to specific permissions. Moderate – Designed for public exposure with limited permissions.

API Keys are typically long-lived credentials that provide extensive control over your Catch The Show account. They are suitable for backend services where the key can be securely stored and managed. Access tokens, in contrast, are generally generated by your backend using an API key and then passed to client applications. This approach adheres to the principle of least privilege, minimizing the impact of a compromised client-side token.

Getting your credentials

To begin integrating with Catch The Show, you need to obtain your API keys. These credentials are generated and managed within the Catch The Show dashboard. The process generally involves creating a project or application, which then provides you with the necessary keys.

  1. Sign Up or Log In: Access your Catch The Show account or create a new one. The Developer Plan offers a free tier for initial exploration.
  2. Navigate to API Settings: Once logged in, locate the "API Keys" or "Settings" section in your dashboard. The exact navigation may vary but is typically intuitive Catch The Show documentation portal.
  3. Generate API Key: Follow the prompts to generate a new API key. You may be asked to give your key a descriptive name to help with organization, especially if you plan to have multiple keys for different applications or environments (e.g., development, staging, production).
  4. Securely Store Your Key: Upon generation, Catch The Show will display your API key. It is critical to copy this key immediately and store it in a secure location. For security reasons, the secret portion of the API key may only be shown once.
  5. Understand Key Types: Differentiate between public and secret keys if provided. Secret keys (API keys) should never be exposed in client-side code. Public keys (if applicable) are designed for client-side use with limited permissions.

For client-side access, your backend server will typically use a secret API key to generate temporary, scoped access tokens. This process is documented in the Catch The Show API reference, detailing how to create tokens with specific permissions and expiration times, which are then passed to your client applications.

Authenticated request example

This example demonstrates how to make an authenticated request to Catch The Show using a secret API key for a server-side operation. We will use Python with the requests library to create a new live stream, a common administrative task that requires high-level authentication.

Python Example (Server-side API Key)


import requests
import os

# Retrieve your API Key from environment variables or a secure configuration management system
# NEVER hardcode API keys directly in your source code.
CATCH_THE_SHOW_API_KEY = os.environ.get("CATCH_THE_SHOW_API_KEY")

if not CATCH_THE_SHOW_API_KEY:
    raise ValueError("CATCH_THE_SHOW_API_KEY environment variable not set.")

API_BASE_URL = "https://api.catchtheshow.com/v1"

headers = {
    "Authorization": f"Bearer {CATCH_THE_SHOW_API_KEY}",
    "Content-Type": "application/json"
}

# Define the payload for creating a new live stream
payload = {
    "title": "My New Live Stream",
    "description": "An example stream created via API",
    "is_public": True,
    "tags": ["demo", "api"]
}

# Make the API request to create a live stream
try:
    response = requests.post(f"{API_BASE_URL}/live-streams", json=payload, headers=headers)
    response.raise_for_status() # Raise an exception for HTTP errors (4xx or 5xx)

    stream_data = response.json()
    print("Live stream created successfully:")
    print(f"Stream ID: {stream_data.get('id')}")
    print(f"Stream URL: {stream_data.get('stream_url')}")
    print(f"RTMP Ingest URL: {stream_data.get('rtmp_ingest_url')}")

except requests.exceptions.HTTPError as http_err:
    print(f"HTTP error occurred: {http_err}")
    print(f"Response body: {response.text}")
except requests.exceptions.ConnectionError as conn_err:
    print(f"Connection error occurred: {conn_err}")
except requests.exceptions.Timeout as timeout_err:
    print(f"Timeout error occurred: {timeout_err}")
except requests.exceptions.RequestException as req_err:
    print(f"An unexpected error occurred: {req_err}")

This example demonstrates the use of a Bearer token in the Authorization header, a common pattern for API key authentication. For client-side operations, the process would involve obtaining a short-lived access token from your backend, which then gets used in a similar Authorization: Bearer <ACCESS_TOKEN> header from the client-side code.

Security best practices

Implementing strong security practices is essential when working with any API, especially those managing live video and user data. Catch The Show's compliance with SOC 2 Type II and GDPR underscores its commitment to security, but developers also play a critical role in securing their integrations Salesforce GDPR compliance guide.

  • Never Expose Secret API Keys: API keys (secret keys) must never be embedded directly in client-side code (JavaScript, mobile apps) or committed to public version control systems. Use environment variables, secret management services, or backend proxies.
  • Use Environment Variables: Store API keys in environment variables (e.g., CATCH_THE_SHOW_API_KEY) on your server or CI/CD pipelines. This prevents keys from being hardcoded.
  • Implement Backend for Frontend (BFF) Pattern: For client-side applications, route all sensitive API calls through your own backend server. Your backend uses the secret API key to communicate with Catch The Show and then relays necessary data to the client, or generates temporary, scoped access tokens for direct client-side use.
  • Scope Access Tokens: When generating client-side access tokens, apply the principle of least privilege. Grant only the minimum necessary permissions for the token's intended use and set short expiration times.
  • Regular Key Rotation: Periodically rotate your API keys. This practice limits the window of exposure if a key is compromised. Check the Catch The Show dashboard for key rotation features.
  • Monitor API Usage: Regularly review your API logs and usage metrics for unusual activity that might indicate unauthorized access attempts.
  • Secure Your Development Environment: Ensure that development machines and staging environments are secured to prevent credential leakage.
  • Use HTTPS/TLS: All communication with Catch The Show APIs should occur over HTTPS/TLS to encrypt data in transit. Catch The Show enforces this by default.
  • Error Handling: Implement robust error handling in your application to gracefully manage authentication failures without exposing sensitive information to end-users.

Adhering to these best practices helps maintain the integrity and confidentiality of your Catch The Show integration and the data it handles.