Update media-services-content-protection-overview.md

Juliako · web-flow · commit e724bf80b224 · 2020-03-16T17:43:52.000-07:00
diff --git a/articles/media-services/previous/media-services-content-protection-overview.md b/articles/media-services/previous/media-services-content-protection-overview.md
@@ -71,6 +71,19 @@ With a token-restricted authorization policy, the content key is sent only to a
 
 When you configure the token restricted policy, you must specify the primary verification key, issuer, and audience parameters. The primary verification key contains the key that the token was signed with. The issuer is the secure token service that issues the token. The audience, sometimes called scope, describes the intent of the token or the resource the token authorizes access to. The Media Services key delivery service validates that these values in the token match the values in the template.
 
+### Token replay prevention
+
+The *Token Replay Prevention* feature allows Media Services customers to set a limit on how many times the same token can be used to request a key or a license. The customer can add a claim of type `urn:microsoft:azure:mediaservices:maxuses` in the token, where the value is the number of times the token can be used to acquire a license or key. All subsequent requests with the same token to Key Delivery will return an unauthorized response. See how to add the claim in the [DRM sample](https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials/blob/master/AMSV3Tutorials/EncryptWithDRM/Program.cs#L601).
+ 
+#### Considerations
+
+* Customers must have control over token generation. The claim needs to be placed in the token itself.
+* When using this feature, requests with tokens whose expiry time is more than one hour away from the time the request is received are rejected with an unauthorized response.
+* Tokens are uniquely identified by their signature. Any change to the payload (for example, update to the expiry time or the claim) changes the signature of the token and it will count as a new token that Key Delivery hasn't come across before.
+* Playback fails if the token has exceeded the `maxuses` value set by the customer.
+* This feature can be used for all existing protected content (only the token issued needs to be changed).
+* This feature works with both JWT and SWT.
+
 ## Streaming URLs
 If your asset was encrypted with more than one DRM, use an encryption tag in the streaming URL: (format='m3u8-aapl', encryption='xxx').
 
