PSSH is the standardised container (ISO/IEC 23001-7:2024 "Common Encryption", aka CENC) inside an MP4 file for DRM-system-specific information. Every DRM system has a unique 16-byte System ID — Widevine edef8ba9-79d6-4ace-a3c8-27dcd51d21ed, PlayReady 9a04f079-9840-4286-ab92-e65be0885f95, FairPlay 94ce86fb-07ff-4f43-adb8-93d2fa968ca2 — and the PSSH box's SystemID field tells the player which CDM should read its Data payload.
For multi-DRM delivery, a CMAF file typically carries multiple PSSH boxes — one per DRM system. The Widevine PSSH points at the Widevine license server; the PlayReady PSSH carries the WRMHEADER pointing at the PlayReady license server; the FairPlay PSSH points at the FPS key server. The player picks the PSSH matching its CDM, extracts the data, and uses it to construct the license request.
PSSH boxes appear in either the moov (init segment) or moof (fragment) of an MP4/CMAF file. Best practice in 2026 is to put all PSSH data in the init segment so it loads once at startup, not in every fragment. The mpd manifest also carries equivalent ContentProtection elements that mirror the PSSH content — players can use either, but the in-band PSSH wins when both are present.
