Search code examples
vimeovimeo-api

Vimeo API & Privacy: which settings allow video to be visible from a mobile app?

Use case

We need to upload video on app dev account on Vimeo, not on 3rd party owned account.

We need the video to be totally invisible and not searchable.

We need the video to be embeddable in some domains (this part works even with privacy.view set as hidden)

We need a mobile app (ios and android) to play the videos (when app+our api server authorize the user).

From the doc

Field: privacy.view. These are the allowed settings from official doc

  • anybody [NO: my video cannot be public]
  • contacts
  • disable [this is equivalent to the UI setitng 'hidden from Vimeo', I cannot use this because from mobile app video will be NOT visible]
  • nobody
  • password [cannot use this because we don't want user to insert a password]
  • unlisted
  • users

Question

I cannot use some of the previous as stated in the listing. Which of the remaining settings allow an user from a mobile app to see the video but keep anyway reserved the video? Important is that video is not listed when an user open our vimeo account and must not be searchable.

Side note: I ask to community here because Vimeo's developers gave us bad infos: they told us that disable will allow viewwing from a mobile app

Solution

  • What you're attempting to do is possible.

    Secure your account in general

    Here are some steps to follow:

    1. Set your account (and not specific videos) to private.

    This will effectively secure all your videos at once and ensure they can't be embedded in general

    1. Set your account wide accepted domains

    This ensure that by default your videos will all belong to the domains you specify.

    Mobile App Vidoes

    This is a little more tricky. Tricky because there isn't really a "domain" on a mobile app (unless it's a webview and you're serving an embedded video).

    To solve this issue here is a recommendation. Each video (in its own settings) will have a list of available URLs for streaming. These URLs are precious. They do not work with the domain whitelist. Luckily they cannot be discovered unless they are made available to the public.

    For streaming, you should use the HLS video URL (video quality will adapt depending on the user's connection speed).

    Essentially, your API should fetch the HLS video URL from the vimeo API and return it to your mobile application. You must understand that these URLs are not secured behind a domain whitelist. This means that if the user happens to get their hands on the URL they can effectively use the URL anywhere.

    Of course, most users will be completely oblivious on how to discover the HLS url. However, you can make this process more complex so novice hackers and so forth will have trouble debugging your app to get the URLs from your API requests.

    1. A simple encoding of the HLS URL server side
    2. A simple decoding of the HLS URL client side
    3. Regenerating all HLS URLs after a while invalidating previous onces (unsure if this feature is currently available)

    This will complicate the process for the people trying to discover the URL. However, anyone actually having the right tools can see the video player send a request with the HLS URL for the video.