Inside the Qencode + DoveRunner Webinar: Securing Your Pipeline
- A secure video pipeline usually means three vendors and the brittle integrations between them. Qencode and DoveRunner collapse that into one workflow with zero custom integration code.
- Qencode runs multi-DRM from one packaging job. It pulls keys from DoveRunner’s KMS, encrypts the segments with AES-128 CTR, and outputs HLS for FairPlay alongside DASH for Widevine, PlayReady, and WisePlay from a single source.
- DoveRunner mixes two encrypted variants at the CDN edge per viewer, so A/B forensic watermarking runs server-side with no client SDK.
- Both flows finished in the live demo in minutes, against the same Qencode REST API.
Why this matters
Premium video pipelines usually involve at least three vendors: one for transcoding, one for DRM key management and license delivery, one for forensic watermarking. Each one comes with its own SDK, its own auth model, its own pricing meter, and its own support contract. The integration surface between them is where production breaks, where launches slip, and where a content licensing deal stalls because the studio’s security audit found a gap nobody owns.
For most engineering teams, the cost of a secure video pipeline is not the licensing fees. It is the months spent stitching the pieces together, the on-call burden of maintaining three integrations, and the risk that one of them breaks the others on a vendor’s release schedule. Consolidating that work into one workflow is the difference between launching premium content this quarter and launching it next year.
In the webinar, Qencode CTO Nikita Yeryomin ran the full Qencode and DoveRunner pipeline live, from KMS key fetch to encrypted DASH playback to A/B watermark mixing, with zero custom integration code.
How the secure video pipeline works
When a viewer leaks a clip, the unique A/B sequence stamped into their stream lets DoveRunner’s detection API recover the session ID frame-by-frame.
The architecture
Multi-DRM packaging from a single transcode job
DoveRunner exposes a KMS endpoint. Qencode hits it during the transcode job to fetch the content key and key ID, applies AES-128 CTR encryption to the segments, and outputs both HLS (FairPlay) and DASH (Widevine, PlayReady, WisePlay) manifests from a single source. License acquisition happens client-side against DoveRunner’s license servers.
What this replaces:
- A separate packaging step per DRM system
- Custom code to wire key management into the encoder
- Duplicate transcode jobs to produce DRM-specific outputs
What you get:
- One job covering four DRM systems
- Keys provisioned and rotated by DoveRunner, kept out of your application code
- A single output bucket ready for delivery
A/B forensic watermarking via segment mixing
Client-side forensic watermarking puts an SDK on every device. It breaks on smart TVs, on older Android builds, and on anything you don’t control. Server-side watermarking through A/B segment mixing sidesteps that.
How it works:
- Qencode produces two encrypted renditions of the same source. Variant A embeds an invisible payload of 0s, variant B embeds 1s.
- Both variants match on bitrate, resolution, and segment boundaries, so the player can’t tell them apart and treats them as interchangeable at the CDN edge.
- The DoveRunner session manager issues a per-viewer mixing instruction. The CDN serves a unique A/B sequence per viewer that encodes a binary session ID.
- When a clip leaks, the DoveRunner detection API recovers that ID from the file frame-by-frame.
The flow runs server-side, stays codec-agnostic, and needs no client SDK or per-device work. The two-variant output is standards-based HLS and DASH, so any CDN with edge logic (CloudFront Functions, Fastly VCL, Cloudflare Workers) can handle the mixing.
The demo
Nikita ran a Python script against the Qencode REST API in three steps.
- POST a key generation request to DoveRunner’s KMS.
- Submit a transcode job with the returned KID and key, then validate playback inside the Qencode player with the DASH MPD pointed at the encrypted output.
- Run the watermarking workflow with
--ab_watermarkenabled. Both variants land in the same Qencode bucket, ready for CDN mixing logic.
End to end, both flows finished in under five minutes.
Business outcomes
| Outcome | What changes |
| Faster deployment | You compress weeks of multi-vendor integration work into a single API call. The pipeline that ships premium content this quarter, not next year. |
| Lower integration overhead | No SDK on the client, no custom key management code, no separate packaging step per DRM system. You maintain fewer surfaces on-call. |
| Reduced operational risk | One vendor relationship for encoding and packaging, one for DRM and watermarking. Two contracts instead of four, with the integration point already tested in production. |
| Audit-ready content protection | Studios expect multi-DRM coverage plus forensic watermarking before they license premium content. The pipeline is built to pass that review. |
Build it
There are ways to move forward:
- Read the technical reference: DoveRunner packaging docs and the Qencode API documentation
- Get production credentials: Contact the Qencode team to set up a secure video pipeline against your own content
Frequently asked questions
What is a secure video pipeline?
It’s the chain of services that takes a source video from upload through transcoding, DRM packaging, watermarking, and delivery, with content protection applied at every stage. A working pipeline covers multi-DRM packaging (FairPlay, Widevine, PlayReady, WisePlay), forensic watermarking for leak attribution, and standards-based delivery over HLS and DASH.
How does Qencode integrate with DoveRunner for multi-DRM?
Qencode calls DoveRunner’s KMS endpoint during the transcode job to fetch the content key and key ID, applies AES-128 CTR encryption to the video segments, and outputs HLS for FairPlay and DASH for Widevine, PlayReady, and WisePlay from a single source. License acquisition happens client-side against DoveRunner’s license servers. You skip the separate packaging step per DRM system.
What is A/B forensic watermarking, and why does it skip the client SDK?
A/B forensic watermarking produces two encrypted variants of the same video, with different invisible payloads (0s in variant A, 1s in variant B) at matching bitrates and segment boundaries. The CDN mixes the variants per viewer to encode a unique session ID into each stream. Because the work happens server-side at the CDN edge, you ship no SDK on the client and no per-device code, and the approach stays codec-agnostic. When a clip leaks, the DoveRunner detection API recovers the session ID frame-by-frame.
Which DRM systems does this secure video pipeline support?
Four. FairPlay covers Apple devices via HLS, Widevine covers Google and Android, PlayReady covers Microsoft and many smart TVs, and WisePlay covers Huawei devices. A single Qencode transcode job covers all four, with keys managed by DoveRunner.
How long does the integration take?
In the live demo, the full pipeline (key fetch, transcode, encryption, multi-DRM packaging, watermarking) ran in under five minutes against the Qencode REST API. A production setup with custom workflow logic typically takes days, because you write no custom code to wire the encoder to the DRM and watermarking layers.
Which CDNs work with the A/B watermark mixing?
Any CDN with edge logic that can route per-request, such as CloudFront Functions, Fastly VCL, or Cloudflare Workers. The two-variant output is standards-based HLS and DASH, so the mixing logic stays at the CDN edge and skips any proprietary delivery layer.
Speakers
- Murad Mordukhay, CEO and co-founder, Qencode
- Nikita Yeryomin, CTO, Qencode
- Erik Peña, Product Manager Multi-DRM, DoveRunner
- Harish Bahat, Product Manager Forensic Watermarking, DoveRunner
