← Back to blog

Why You Can't Record DRM-Protected Live Streams (And How to Tell If a Stream Is Protected)

Widevine, FairPlay, and PlayReady DRM block every browser-extension recorder by design. Here's why, how to spot DRM streams before wasting time, and what tools actually work.

You install a stream recorder, hit Record on a Netflix-like live broadcast or a premium sports feed, and the resulting file is a few-MB blob that no player will open. Or the extension just says “DRM-protected — cannot be downloaded.” Either way, the stream wasn’t recordable.

That’s not a bug in the recorder. It’s the recorder correctly hitting the wall of DRM (Digital Rights Management). DRM is designed to make exactly this — capturing protected content outside the official player — impossible. This post explains how DRM works in 2026, how to identify protected streams before you start, and what actually changes when something is DRM-locked.

What DRM actually does

In a regular HLS or DASH live stream, the video segments are encrypted with a key that anyone can read — it’s published in the manifest, deliberately, so any player can decrypt and play. The “encryption” is more like a uniform than a lock. This is why a downloader can record a normal HLS live stream as bit-for-bit copies of the segments: the key to decrypt them comes free with the manifest.

In a DRM-protected stream, the segments are also encrypted, but the decryption key is not in the manifest. Instead:

  1. The player requests a key from a license server, sending an authenticated request that proves the user is a paying subscriber
  2. The license server returns the key wrapped inside a hardware-backed secure module (Widevine, FairPlay, or PlayReady — see below)
  3. The key never enters JavaScript memory, never enters extension memory, never enters anywhere a recorder can read it
  4. The decryption happens inside a hardware-isolated trusted execution environment (TEE) on the user’s device
  5. The decrypted video frames are sent directly to the GPU compositor, bypassing the OS framebuffer

This means even if a recorder captures every encrypted segment perfectly, the segments are useless garbage without the key. And the key never leaves the TEE.

The three DRM systems you’ll encounter

There are three major DRM systems in browser video, and most premium services use all three so they can support every browser:

DRMUsed byBrowsers
WidevineNetflix, Disney+, HBO Max, Amazon Prime, Hulu, most VOD platforms, Twitch’s premium contentChrome, Edge, Firefox, Android, Smart TVs
FairPlay Streaming (FPS)Apple TV+, iTunes, Vimeo OTT, CineSend, premium film festival platformsSafari, iOS, macOS
PlayReadyMicrosoft services, some sports broadcasters, some European OTTEdge, Xbox, Windows native players

All three work the same way at the user level: key request → license response → decrypt-in-TEE → render-to-GPU. The differences are mostly which platforms support them.

How to tell if a stream is DRM-protected before you try to record

Three reliable signals:

1. Subscription required + studio content

If a service costs money and shows content from a major studio (Disney, Warner, Universal, Sony, Apple), it’s almost certainly DRM-protected. The licensing contracts those studios sign require DRM as a condition of distribution.

Concrete list: Netflix, Disney+, Hulu, HBO Max, Amazon Prime Video, Apple TV+, Peacock (paid tier), Paramount+, Crunchyroll Premium, Vimeo OTT, Apple Music videos, YouTube Premium movies. All DRM-protected, all unrecordable.

2. EME calls in DevTools

The technical signal: any stream using DRM in a browser must go through the Encrypted Media Extensions (EME) API. You can check directly:

  1. Open Chrome DevTools (F12)
  2. Console tab
  3. Reload the page with the stream playing
  4. Search the console for requestMediaKeySystemAccess or MediaKeySession

If those API calls happen, the stream is using EME, which means DRM. If they don’t, the stream is plain HLS/DASH and recordable.

The Video Downloader One-for-All extension does this check automatically and surfaces a “DRM-protected” badge in the popup so you don’t have to dig through DevTools.

3. Manifest contains ContentProtection (DASH) or EXT-X-KEY KEYFORMAT="com.apple.streamingkeydelivery" (HLS)

If you have access to the raw manifest URL, look at the contents:

  • DASH (.mpd): search for <ContentProtection> elements. The schemeIdUri attribute identifies the DRM system (urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed is Widevine, urn:uuid:9a04f079-9840-4286-ab92-e65be0885f95 is PlayReady, urn:uuid:94ce86fb-07ff-4f43-adb8-93d2fa968ca2 is FairPlay).
  • HLS (.m3u8): search for EXT-X-KEY tags. If the KEYFORMAT is com.apple.streamingkeydelivery or urn:uuid:edef8ba9-79d6-4ace-a3c8-27dcd51d21ed, it’s DRM.

If you see plain EXT-X-KEY METHOD=AES-128 with a URI you can fetch with a regular HTTP GET, the stream is encrypted but not DRM-protected — a good recorder can decrypt it.

What about analog hole / screen recording?

The classic workaround: if you can see it on your screen, you can screen-record it.

This used to be true. In 2026, mostly it isn’t.

DRM-protected video is rendered through a path that signals HDCP (High-bandwidth Digital Content Protection) to the OS compositor. The compositor blacks out the protected region for any screen capture API — OBS, QuickTime, Windows Game Bar, Snipping Tool. You see the video; the screen recorder records a black rectangle where the video was.

There are bypasses (HDCP strippers, virtual machines without compositor enforcement, analog capture cards on a second device pointed at a screen) but they’re either expensive hardware or in legally murky territory. For browser-extension users: no, you can’t get around DRM by screen-recording.

What protected streams look like to a recorder

When you point a stream recorder at a DRM-protected source, three things can happen:

  1. The recorder detects DRM early and refuses (the correct behavior — surface the limitation up front)
  2. The recorder records the encrypted segments and produces an unplayable file (frustrating but better than #3)
  3. The recorder claims success and lets you waste hours before you realize the output is broken

Good recorders do #1. Cheap ones do #2 or #3.

Video Downloader One-for-All added DRM detection in v1.1.27 — it now reads EXT-X-KEY KEYFORMAT and DASH ContentProtection elements and marks DRM streams as undownloadable in the popup before you waste a quota slot. Other recorders may or may not have this.

What does work for premium content

If you legitimately want to keep a video you’ve paid for offline:

  • Most streaming services have an official offline download feature in their app (Netflix mobile, Disney+ mobile, Apple TV+ on Mac). These work because the official app has access to the DRM key flow.
  • Premium content with no offline support is, intentionally, not portable. That’s the business model.
  • For DRM-free live streams (most Twitch, YouTube Live except DRM movies, Kick, all webcam platforms, regional sports feeds, news broadcasts), a stream recorder works perfectly. See our Twitch recording guide for the workflow.

Bottom line

DRM exists specifically to prevent capture, and it works. If a stream uses Widevine, FairPlay, or PlayReady — and you can usually tell from “is this premium subscription content from a major studio” — no browser extension is going to record it. That’s not a missing feature, that’s the design.

The good news: the vast majority of streams that people actually want to record (game broadcasts, webcam content, news, regional sports, educational content, friends’ Lives) are not DRM-protected. Those record fine.

When in doubt, check the popup. If you see “DRM-protected,” save yourself the time.