Generate a signed HMAC token

Each segment request made using segment redirect pod serving must include a HMAC-signed token for authentication, if not using early ad break notifications.

This token can be calculated once per ad break and shared across all stream sessions.

Gather token parameters

Gather the following information from the current ad break, to populate the token body.

Token Parameters
custom_asset_key Required The custom livestream asset key, from Google Ad Manager.
cust_params Optional Custom targeting parameters. See cust_params.
exp Required Expiration timestamp for this token in seconds.
network_code Required The Ad Manager 360 network code for this network.
pod_id Required Identifier for the ad break. Should be an integer starting at 1 and increasing by one for each ad break.

This value must be the same across all users viewing the same ad break in the current event.

pd Required, except for events with durationless ad breaks enabled. The duration in milliseconds of the ad break. Referred to above as ad_pod_duration.
scte35 Optional Base64-encoded SCTE-35 signal. It's the client's responsibility to ensure that the signal is correct. If incorrect, a message is sent to the X-Ad-Manager-Dai-Warning HTTP header in the response and the signal is still propagated to create an ad break. See the supported ad markers for more information on how DAI uses the SCTE-35 signal.

Create token string

list each parameter in alphabetical order, in the format name=value, with each name-value pair separated by a tilde (~) character.

Optional parameters without a value can be left in-place with an empty string for the value, or removed entirely.

token string format


Generate HMAC signature

The HMAC signature is a SHA-256 hash of the token string in HEX format. The secret key is the HMAC authentication key associated with your livestream event in Google Ad Manager.

Sign token string

Once generated, append the HMAC signature to the token string in the following format

~hmac={HMAC signature}

URL-encode token string

This token is passed as a URL parameter, so it must be URL-encoded for safety.

Example 1

Here's an example where unused optional parameters are included as empty strings.

Token string


Secret key


HMAC signature


Signed token


URL-encoded signed token:


Example 2

Here's an example where the unpopulated optional variables are omitted entirely.

Token string

Secret key
HMAC signature

Signed token


URL-encoded signed token