Industry Solutions

Bulletproof Security in iGaming: Meeting Industry Demands


In the iGaming industry, where high-stakes business risks, and escalating regulations are the norm, the importance of robust cybersecurity cannot be overstated. Ensuring that iGaming content is not streamed in regions where it is either illegal.

In the iGaming industry, where high-stakes business risks, and escalating regulations are the norm, the importance of robust cybersecurity cannot be overstated. Ensuring that iGaming content is not streamed in regions where it is either illegal, subject to restrictions, or accessible to underage bettors is crucial for live casino and live sports operators. It maintains their compliance with the law, protects their reputation, and avoids potential fines or sanctions that can severely impact their business operations.

Security in iGaming is not just about protecting financial assets though; it’s also about safeguarding the personal data of players, which can become a target for cyber criminals. Distribution of real-time streams requires scalability, stability, and security. If a security breach should occur, you face the risk of damaging the player’s trust and consequently, a decline in future revenue.

In this blog, we’ll delve into a multi-layered security approach aimed at fortifying your real-time streams against unauthorized access.

Dolby Millicast security features:

  1. Publish and Subscribe tokens
  2. Self-signed tokens
  3. Allowing only specific origins
  4. Geo-blocking
  5. IP filtering
man on computer typing with an overlay of a cybersecurity lock and interface in blue

1. Publish and Subscribe tokens

How do tokens work?

Tokens are generated to authenticate and give access to a stream for a specific period of time. You will use separate tokens for broadcasting and viewer playback so that only appropriate authorizations are granted depending on your requirements, such as:

  • Specifying specific domain names or allowed origins
  • Identifying IP addresses to filter


To broadcast a real-time stream the connection must be authenticated with a valid Publish token. The Dolby Millicast platform uses token authentication for publishing to prevent unauthorized distribution of streaming content from your account. Without a valid token, publish requests will be rejected by the servers.


By default, viewers don’t need a token to view a real-time stream. However, if you want to secure your stream from being viewed by non-authenticated users, Dolby Millicast provides the ability to use subscribe tokens.

When enabled, streams that require a subscribe token will block access to users not in possession of a valid token coming from a valid domain. This makes subscribe tokens useful for protecting paywalled content or non-public content. Subscribe tokens also allow you to add time limits, specify IPs, and even set the token to only work from single or multiple specified domains.

Pro Tip! Temporary Publish tokens are recommended.

Having an expiration date can prevent old or exposed tokens from becoming a long-term vulnerability by limiting the duration they are valid. Tokens can always be deleted manually, but if you know you only need the token for a set period, it is more secure to create a token that is only valid for that duration.

In the event your secure token has been compromised, you can renew it by clicking the renew button under the “Publishing token” string in the user dashboard.

Dolby Millicast live broadcast screen showing how to publish a token with a red arrow pointing at renew

Once you’ve finished using a subscribe token, it is recommended that you retire the token by deleting it to prevent accidental vulnerabilities.

2. Self-signed tokens

Dolby Millicast supports the ability to self-sign subscribe tokens without having to make an API call. Self-signing the token locally allows you to generate your subscribe token more efficiently. When tracking many individual streams among your users, you only need to generate one Dolby Millicast token and can then delegate that authorization by generating new self-signed JWT tokens in your application without needing to fetch a new subscribe token for each new stream.

The subscribe token functions as a parent token, and any self-signed token generated from this will inherit any restrictions or parameters that are specified when the subscribe token is created. Leveraging this functionality optimizes time management and enhances the efficiency of your streaming workflows.

Self-signing your Subscribe token allows you to:

  • Sign the subscribe token locally in the programming language of your choice.
  • Reduce the number of API calls to the server.
  • Track bandwidth usage with each of the self-signed tokens.

Pro Tip! Self-sign your Subscribe tokens.

Using the Token API is great for producing a few tokens, but for true scalability and speed you should self-sign your tokens.

3. Allowing only specific origins

Setting up allowed origins as a means of access control is done by specifying the domain where a request will originate. If you have deployed a website or application to a cloud provider, you may not know the IP address of a server, but any usage of a token can be restricted to the domain name for your application.

This approach helps prevent unauthorized usage of tokens. You can choose to create single, multiple or wildcard domains that are “allowed origins”.

  • A single domain:
  • Multiple domains comma delimited:,
  • Wildcard domains: *

Within the Security section you can edit the Allowed origins to specify a list of domain names.

Dolby Millicast platform dashboard highlighting allowed regions

4. Geo-blocking

Geo-blocking refers to restricting access to certain content based on the geographical location of the user. From the Dolby Millicast dashboard, you can set geo-blocking for either the Publish or Subscribe token. Geo-location in both tokens refers to the location from which viewers can watch a stream.

 If you restrict access to a stream in some countries using the publish token, people from those countries will not be able to watch the streamed content, even if the stream is unauthenticated and does not require the subscribe token. Geo-blocking does not impact broadcasting.

There are some settings you can use when configuring geo-blocking.

  • Allow countries lets you specify one or more countries by name that should be permitted to broadcast or view a stream.
  • Deny countries lets you specify one or more countries that should be prohibited from broadcasting or viewing a stream.
Dolby Millicast showing Setting screen and Token defaults tab

End viewers that will be blocked from content will see a message in the player stating Country not allowed when trying to access the viewer.

Pro Tip! Save time and enable geo-blocking at the account level.

Turning on geo-blocking for your entire account means that this feature will be activated for all existing and future publish tokens. If you want to turn it off, just remove the selected countries, and the new settings will take effect.

5. IP Filtering

You can also deny access to content if you know the domain name or IP address that will be used to broadcast or view a stream. Setting up an IP filter as a means of stream access control may depend on whether or not you know the originating IP address ahead of time.

Allowed IP addresses

This method lets you clearly specify multiple IP addresses that are allowed to either broadcast or play back content. Once IP addresses are set, only those specific addresses or networks will be allowed to publish or view an iGaming stream.

If the user’s network changes, they will be rejected for future connections, however, the Allowed IP addresses can be updated.

Dolby Millicast Add New Token screen highlighting allowed IP addresses

Security is a critical aspect for iGaming operators as it directly influences their credibility and customer trust. In an industry that heavily relies on online transactions, operators are often targets of cyber threats, data breaches, and fraudulent activities. Ensuring robust security measures not only helps prevent potential financial losses, but also safeguards the operator’s reputation.

Furthermore, adherence to data protection regulations is crucial to avoid legal consequences. Therefore, prioritizing security is essential for the sustainability and success of iGaming operations.

For more information on how to secure your streams through the Dolby Millicast dashboard or our real-time streaming APIs, please see our step-by-step tutorials for Publish and Subscribe tokens and Geo-blocking.

Rose Power

Senior Product Marketing Manager

Rose Power is the Senior Product Marketing Manager for Dolby Millicast. She is driven to build authentic relationships and craft simple solutions in the video-streaming sector. In her downtime, Rose enjoys strumming on her ukulele, tending to her garden, or embarking on hiking adventures with her backpack and pup.

Get Started

Drive real-time interactions and engagement with sub-second latency

We are more than just a streaming solutions provider; we are a technology partner helping you build a streaming ecosystem that meets your goals. Get started for free and as you grow, we offer aggressive volume discounts protecting your margins.

Developer Resources

Explore learning paths and helpful resources as you begin development with

Copy link
Powered by Social Snap