Encrypted HLS signals to check
| Signal | What it means | What to test |
|---|---|---|
| #EXT-X-KEY:METHOD=AES-128 | The stream uses standard HLS segment encryption. | Confirm the key URI loads through the same direct or proxy path as the segments. |
| Key request blocked | The manifest loads, but playback fails when the player fetches the key. | Enable the proxy or fix Access-Control-Allow-Origin for the key URL. |
| Protected key endpoint | The key URL returns 403 unless requests include the original page context. | Set the source page as Referer through the proxy and retry playback. |
| Rotating keys | The playlist references more than one key over time. | Test enough of the stream to confirm every referenced key remains reachable. |
| DRM system | The stream requires Widevine, FairPlay, PlayReady, or license exchange. | Use the licensed app or player. This tool does not bypass DRM. |
How to test an encrypted M3U8 stream
- 1Paste the encrypted M3U8 URLStart playback with the direct URL so you can see whether the manifest, key, and segments are reachable without extra routing.
- 2Inspect the manifest with the health reportRun the validator to check whether the playlist references #EXT-X-KEY and whether it looks like live or VOD HLS.
- 3Route keys and segments togetherIf CORS blocks the key or media files, enable the proxy so the manifest, key URI, and segments all use the same browser-readable origin.
- 4Add Referer for protected key endpointsIf the key URL returns 403, set the original playback page as Referer through the proxy and retry the stream.
- 5Stop at DRM boundariesIf the stream requires a license server or DRM stack, use the authorized player. AES-128 key access is not the same as DRM bypass.
AES-128 HLS is different from DRM
AES-128 HLS stores a key URI in the playlist with #EXT-X-KEY and encrypts normal media segments. If you are allowed to access the key, a browser HLS player can usually decrypt playback. DRM systems require license exchange and platform CDMs, which this tool does not replace or bypass.
Why key URLs fail even when the manifest loads
The manifest, key, and segments can live on different paths or domains. A stream may expose the playlist but block the key with CORS, signed URL expiry, or Referer checks. For encrypted streams, every request in the chain has to be reachable, not just the first .m3u8 file.
How conversion handles encrypted HLS
For normal AES-128 streams that are accessible, the MP4 converter can fetch the key referenced by the manifest and decrypt during the FFmpeg step. If key access is blocked, fix proxy or Referer routing before trying to export MP4 or MP3.
Related encrypted HLS pages
- M3U8 to MP4 converter can export accessible AES-128 HLS streams with local FFmpeg WebAssembly.
- HLS CORS error explains why key and segment requests need browser-readable responses.
- Custom Referer M3U8 player covers protected key or segment endpoints that reject direct requests.
Frequently asked questions
Can this player play encrypted M3U8 streams?
Yes, for normal AES-128 HLS streams when the manifest, key URL, and media segments are reachable. It cannot bypass DRM systems or license servers.
What does #EXT-X-KEY mean in an M3U8 file?
#EXT-X-KEY tells the HLS player how media segments are encrypted and where to fetch the decryption key. For AES-128 HLS, that key URL must be reachable for playback or conversion to work.
Why does the encrypted stream fail after loading the manifest?
The most common cause is a blocked key request. The manifest may load, but playback fails when the browser cannot fetch the AES-128 key or later encrypted segments.
Can a CORS proxy help with encrypted HLS?
Yes, if the issue is browser access. The proxy must route the manifest, key URL, and media segments together so every encrypted HLS request is readable by the browser.
Does this bypass Widevine, FairPlay, or PlayReady?
No. DRM-protected streams require authorized license exchange and platform DRM support. This tool is for normal HLS debugging, not DRM bypass.