SearchVarnish Enterprise 6.0.16r9 is a feature release that introduces experimental support for next-generation token authentication.
This release positions Varnish to handle the new industry standards for content protection, ensuring your delivery infrastructure is ready for modern anti-piracy workflows and seamless interoperability in multi-CDN environments.
The new feature is highlighted below. For the complete list of changes, please see the Changelog.
A new VMOD, vmod_cwt, has been added to enable the parsing, verification, and validation of CBOR Web Tokens (CWT) and Common Access Tokens (CAT).
Common Access Tokens (CAT) are a standard defined by the SVTA and CTA to securely answer the question: “Is this client allowed to access this content right now?”.
By using standard cryptographic signing and a compact binary representation (CBOR), these tokens provide a robust mechanism for content protection that offers several distinct advantages:
This VMOD allows Varnish to validate these tokens directly at the edge, ensuring requests are authenticated before they reach your origin.
Supported Algorithms The module supports a range of standard cryptographic signature verification algorithms, including:
Example Usage The following VCL snippet demonstrates how to import a key and validate a Common Access Token from a request header:
vcl 4.1;
import cwt;
sub vcl_init {
# Import a COSE key (RFC 8392 Appendix A.2.2)
cwt.import_cose_key(hex={"
a4205820403697de87af64611c1d32a05dab0fe1fcb715a86ab435f1ec99192d
795693880104024c53796d6d65747269633235360304
"});
}
sub vcl_recv {
# Automatically import CAT from standard locations (e.g., headers)
if (!cwt.import_cat()) {
return (synth(400, cwt.get_error()));
}
# Verify signature and validate claims
if (!cwt.accept()) {
return (synth(403, cwt.get_error()));
}
}
Please note that the API is considered experimental at this time and may be subject to change in future releases.
For more information, please refer to the documentation for vmod_cwt.