If it helps, I looked at the network traffic for the desktop web browser access to a stream.
There is a call to
https://mlbentitlementservices.mlb.com/e...ipalId=<id redacted>&includeFeatures=true
Request method is OPTIONS
The response has no payload but has one cookie
HTTP/2.0 200 OK
date: <redacted>
content-length: 0
set-cookie: __cfduid=<redacted>; expires=<redacted>; path=/; domain=.mlbentitlementservices.mlb.com; HttpOnly
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
access-control-allow-origin:
https://www.mlb.com
access-control-allow-methods: GET
access-control-allow-headers: authorization
access-control-allow-credentials: true
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
This is followed by a GET to the same URL which returns a json object
{"contents":[{"id":"redacted","principalId":"redacted","principalType":"user","alternatePrincipalId":"redacted","entitlementCode":"MLBVIDEOAR",
"source":"TMOBILE_REDEMPTION","sourceId":"redacted","startsOn":"2019-03-26T17:29:23.127+0000",
"expiresOn":"2020-02-28T11:19:00.000+0000","hasClones":false,"entitlementDefinition":
{"code":"MLBVIDEOAR","displayName":"MLBVIDEOAR","description":"MLB Video and GameDay Audio for auto-renew customers",
"featureCodes":["mobile.atBatPurchased","mobile.highlights","mobile.platformAccess.blackberry","mobile.tvAccess","mobile.classicGames",
"mobile.notifications","mobile.gameday","mobile.stats","mobile.sponsor_tv_override","mobile.tvAccessAndroid","mobile.atBatAccess",
"mobile.platformAccess.windowsphone8","mobile.fgod","mp4.mlbtvOwned","mobile.postseasontv","mobile.androidEnabled",
"mobile.sponsor_app_override","mobile.platformAccess.android","mp4.premiumMessage","cp.mlbtvOwned","mobile.sponsor_fgod_override",
"samsungsse.mlbtvOwned","mobile.audioAccess","mobile.livelookin","mobile.platformAccess.ios"]
},
"isActive":true,"isClone":false}
],"hasMore":false,"contentsCount":1}
Just posting this in case this indicates something has changed in the authentication hand-shake procedure to get the stream.