diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj b/Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj
new file mode 100644
index 0000000..a555ab3
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj	
@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <AssemblyName>GwpMinimalApiSample</AssemblyName>
+    <RootNamespace>Genetec.Dap.CodeSamples</RootNamespace>
+    <Description>Sample project</Description>
+    <Company>Genetec Inc.</Company>
+    <Copyright>Copyright © Genetec Inc. 2025</Copyright>
+  </PropertyGroup>
+
+</Project>
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs b/Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs
new file mode 100644
index 0000000..54ac4a7
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs	
@@ -0,0 +1,62 @@
+// Copyright 2025 Genetec Inc.
+// Licensed under the Apache License, Version 2.0
+
+using System.Net.Http.Headers;
+using System.Text;
+
+var builder = WebApplication.CreateBuilder(args);
+
+var mediaGateway = builder.Configuration.GetSection("MediaGateway");
+var endpoint = mediaGateway["Endpoint"]?.TrimEnd('/') ?? throw new InvalidOperationException("MediaGateway:Endpoint is required.");
+var username = mediaGateway["Username"] ?? throw new InvalidOperationException("MediaGateway:Username is required.");
+var password = mediaGateway["Password"] ?? string.Empty;
+var sdkCertificate = mediaGateway["SdkCertificate"] ?? throw new InvalidOperationException("MediaGateway:SdkCertificate is required.");
+var serverVersion = mediaGateway["ServerVersion"];
+
+var authorizationParameter = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username};{sdkCertificate}:{password}"));
+
+builder.Services.AddHttpClient("MediaGateway", client =>
+{
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", authorizationParameter);
+}).ConfigurePrimaryHttpMessageHandler(() =>
+{
+    var handler = new HttpClientHandler();
+    if (builder.Environment.IsDevelopment())
+    {
+        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+    }
+    return handler;
+});
+
+var app = builder.Build();
+
+app.UseStaticFiles();
+
+app.MapGet("/api/config", () => Results.Ok(new
+{
+    mediaGatewayEndpoint = endpoint,
+    serverVersion = string.IsNullOrWhiteSpace(serverVersion) ? null : serverVersion.Trim(),
+}));
+
+app.MapGet("/api/token/{cameraId}", async (string cameraId, IHttpClientFactory httpClientFactory) =>
+{
+    if (string.IsNullOrWhiteSpace(cameraId))
+    {
+        return Results.BadRequest("A camera GUID is required.");
+    }
+
+    var client = httpClientFactory.CreateClient("MediaGateway");
+    var response = await client.GetAsync($"{endpoint}/v2/token/{Uri.EscapeDataString(cameraId.Trim())}");
+
+    if (!response.IsSuccessStatusCode)
+    {
+        return Results.StatusCode((int)response.StatusCode);
+    }
+
+    var token = await response.Content.ReadAsStringAsync();
+    return Results.Text(token);
+});
+
+app.MapFallbackToFile("index.html");
+
+app.Run();
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json b/Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json
new file mode 100644
index 0000000..a626612
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json	
@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "GwpMinimalApiSample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:59205;http://localhost:59206"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md
new file mode 100644
index 0000000..7508597
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
@@ -0,0 +1,77 @@
+# GWP Minimal API Sample
+
+This sample demonstrates hosting the Genetec Web Player inside an ASP.NET Core Minimal API application:
+
+- ASP.NET Core serves a static HTML page that loads and runs GWP.
+- A server-side `/api/token/{cameraId}` endpoint proxies token requests to the Media Gateway using credentials from `appsettings.json`. Media Gateway credentials never reach the browser.
+- A `/api/config` endpoint provides the Media Gateway endpoint and server version to the page without exposing authentication details.
+- The page loads `gwp.js` directly from the target Media Gateway and uses the browser environment GWP expects.
+
+## Run
+
+```powershell
+dotnet run
+```
+
+Then open the URL shown in the console output (for example, `https://localhost:5001`).
+
+### Configuration
+
+Media Gateway settings are configured in `appsettings.json`:
+
+```json
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}
+```
+
+You can also use environment variables or user secrets. If you haven't already initialized user secrets for this project, run:
+
+```powershell
+dotnet user-secrets init
+dotnet user-secrets set "MediaGateway:Password" "your-password"
+```
+
+## Required environment setup
+
+### 1. Trust the Media Gateway certificate
+
+If the Media Gateway certificate is self-signed or otherwise untrusted, the browser will fail to load `gwp.js` or connect to the gateway.
+
+For development, the sample automatically allows certificate warnings when connecting to the Media Gateway from the server-side token endpoint. The browser must still trust the certificate for the `gwp.js` script load and WebSocket connections. Add the certificate to the browser's trust store or use a trusted certificate.
+
+### 2. Allow the page origin in Media Gateway CORS
+
+If strict CORS is enabled, add the ASP.NET application origin to `MediaGateway.gconfig`:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+    <MediaGateway EnforceStrictCrossOrigin="true">
+        <AllowedOrigin Origin="https://localhost:5001" />
+    </MediaGateway>
+</Configuration>
+```
+
+Restart the Media Gateway role after the change.
+
+### 3. Use a matching GWP build
+
+The sample loads `gwp.js` from `${mediaGatewayEndpoint}/v2/files/gwp.js` so the player version matches the Security Center version.
+
+## Scope and limitations
+
+- This sample demonstrates a feasible hosting pattern. It is not a production-ready security design.
+- This sample has no user authentication. Anyone who can reach the application can view camera streams. A real application must add its own authentication layer to control who can access the application.
+- Media Gateway credentials are stored in `appsettings.json`. For production, use a secure configuration provider such as user secrets, Azure Key Vault, or environment variables.
+- The default SDK certificate is the Genetec development certificate intended for SDK development only.
+- A Content Security Policy meta tag restricts script sources, connections, and media to `self`, `https:`, `wss:`, and `blob:`. The policy allows `'unsafe-inline'` for scripts and styles because the page uses inline markup. The Razor Pages sample demonstrates how to use CSP nonces instead.
+- Player startup is cancellable. Clicking Stop during script load or session establishment cancels the in-flight start and cleans up any partially created player.
+- Browser autoplay rules apply to audio.
+- Video rendering and overlays remain in the HTML layer, not the ASP.NET server.
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json b/Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json
new file mode 100644
index 0000000..a5e1b2a
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json	
@@ -0,0 +1,9 @@
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html b/Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html
new file mode 100644
index 0000000..c1255b5
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html	
@@ -0,0 +1,549 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:; script-src 'self' https: 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https: wss:; media-src https: blob:;">
+  <title>GWP Minimal API Sample</title>
+  <style>
+    :root {
+      --bg: #edf3f8;
+      --surface: rgba(255, 255, 255, 0.92);
+      --surface-strong: #ffffff;
+      --ink: #102033;
+      --muted: #54667a;
+      --line: #d6e0ea;
+      --accent: #0f766e;
+      --accent-strong: #115e59;
+      --warning: #92400e;
+      --danger: #b91c1c;
+      --shadow: 0 24px 60px rgba(16, 32, 51, 0.12);
+    }
+
+    * {
+      box-sizing: border-box;
+    }
+
+    body {
+      margin: 0;
+      font-family: "Segoe UI", "Aptos", sans-serif;
+      color: var(--ink);
+      background:
+        radial-gradient(circle at top left, rgba(15, 118, 110, 0.12), transparent 28%),
+        radial-gradient(circle at right, rgba(22, 101, 52, 0.10), transparent 22%),
+        linear-gradient(180deg, #f8fbfd 0%, var(--bg) 100%);
+      min-height: 100vh;
+    }
+
+    html,
+    body {
+      height: 100%;
+    }
+
+    .shell {
+      display: grid;
+      grid-template-columns: 360px minmax(0, 1fr);
+      gap: 18px;
+      padding: 18px;
+      min-height: 100vh;
+      height: 100vh;
+    }
+
+    .panel {
+      background: var(--surface);
+      backdrop-filter: blur(10px);
+      border: 1px solid var(--line);
+      border-radius: 22px;
+      box-shadow: var(--shadow);
+      min-height: 0;
+    }
+
+    .controls {
+      padding: 22px;
+      display: flex;
+      flex-direction: column;
+      gap: 18px;
+      min-height: 0;
+      overflow: auto;
+    }
+
+    .lede {
+      margin: 8px 0 0;
+      color: var(--muted);
+      line-height: 1.45;
+    }
+
+    .origin {
+      margin-top: 8px;
+      padding: 10px 12px;
+      border-radius: 12px;
+      background: #ecfdf5;
+      border: 1px solid #a7f3d0;
+      color: #065f46;
+      font-size: 0.95rem;
+    }
+
+    .field-grid {
+      display: grid;
+      gap: 12px;
+    }
+
+    label {
+      display: grid;
+      gap: 6px;
+      font-size: 0.92rem;
+      color: var(--muted);
+    }
+
+    input {
+      width: 100%;
+      padding: 11px 12px;
+      border-radius: 12px;
+      border: 1px solid var(--line);
+      background: var(--surface-strong);
+      color: var(--ink);
+      font: inherit;
+    }
+
+    .actions {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 10px;
+    }
+
+    button {
+      appearance: none;
+      border: none;
+      border-radius: 999px;
+      padding: 10px 16px;
+      font: inherit;
+      cursor: pointer;
+      transition: transform 120ms ease, opacity 120ms ease, background-color 120ms ease;
+    }
+
+    button:hover {
+      transform: translateY(-1px);
+    }
+
+    button.primary {
+      background: var(--accent);
+      color: white;
+    }
+
+    button.primary:hover {
+      background: var(--accent-strong);
+    }
+
+    button.secondary {
+      background: #dce8f2;
+      color: var(--ink);
+    }
+
+    .stage {
+      display: flex;
+      flex-direction: column;
+      min-height: 0;
+      overflow: hidden;
+    }
+
+    .stage-header {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      padding: 18px 22px 0;
+    }
+
+    .status-chip {
+      padding: 8px 12px;
+      border-radius: 999px;
+      background: #e0f2fe;
+      color: #075985;
+      font-size: 0.9rem;
+    }
+
+    #playerContainer {
+      margin: 18px 22px 14px;
+      width: auto;
+      aspect-ratio: 16 / 9;
+      min-height: 320px;
+      max-height: min(56vh, 560px);
+      flex: 0 0 auto;
+      border-radius: 20px;
+      overflow: hidden;
+      position: relative;
+      background:
+        linear-gradient(135deg, #07111f 0%, #11263f 100%);
+      border: 1px solid #17324f;
+    }
+
+    #playerContainer::before {
+      content: "GWP video surface";
+      position: absolute;
+      inset: 16px auto auto 16px;
+      padding: 6px 10px;
+      border-radius: 999px;
+      background: rgba(12, 23, 42, 0.65);
+      color: rgba(255, 255, 255, 0.72);
+      font-size: 0.82rem;
+      letter-spacing: 0.03em;
+      z-index: 0;
+    }
+
+    .log {
+      margin: 0 22px 22px;
+      padding: 14px;
+      border-radius: 16px;
+      background: #08111f;
+      color: #d8e6f5;
+      min-height: 180px;
+      overflow: auto;
+      flex: 1 1 auto;
+      height: 100%;
+      font: 0.88rem/1.45 Consolas, "Cascadia Code", monospace;
+      white-space: pre-wrap;
+    }
+
+    .log .error {
+      color: #fca5a5;
+    }
+
+    .log .warn {
+      color: #fdba74;
+    }
+
+    @media (max-width: 1100px) {
+      .shell {
+        grid-template-columns: 1fr;
+        height: auto;
+      }
+
+      #playerContainer {
+        min-height: 240px;
+        max-height: min(42vh, 420px);
+      }
+    }
+  </style>
+</head>
+<body>
+  <div class="shell">
+    <section class="panel controls">
+      <div>
+        <p class="lede">This page runs with the origin shown below. Add that origin to the Media Gateway allowed origins list when strict CORS is enabled.</p>
+        <div class="origin" id="originDisplay"></div>
+      </div>
+
+      <div class="field-grid">
+        <label>
+          Media Gateway endpoint
+          <input id="mediaGatewayEndpoint" type="text" readonly>
+        </label>
+        <label>
+          Server version
+          <input id="serverVersion" type="text" readonly>
+        </label>
+        <label>
+          Camera GUID
+          <input id="cameraGuid" type="text" placeholder="00000000-0000-0000-0000-000000000000" spellcheck="false">
+        </label>
+      </div>
+
+      <div class="actions">
+        <button id="startButton" class="primary">Start Player</button>
+        <button id="stopButton" class="secondary">Stop</button>
+        <button id="liveButton" class="secondary">Live</button>
+        <button id="pauseButton" class="secondary">Pause</button>
+        <button id="resumeButton" class="secondary">Resume</button>
+        <button id="toggleAudioButton" class="secondary">Toggle Audio</button>
+      </div>
+
+    </section>
+
+    <section class="panel stage">
+      <div class="stage-header">
+        <div id="statusChip" class="status-chip">Idle</div>
+      </div>
+
+      <div id="playerContainer"></div>
+      <div id="log" class="log"></div>
+    </section>
+  </div>
+
+  <script>
+    const state = {
+      config: null,
+      player: null,
+      gwpLoadedFor: null,
+      startGeneration: 0,
+      activeStartGeneration: null,
+    };
+
+    const elements = {
+      originDisplay: document.getElementById('originDisplay'),
+      statusChip: document.getElementById('statusChip'),
+      log: document.getElementById('log'),
+      playerContainer: document.getElementById('playerContainer'),
+      mediaGatewayEndpoint: document.getElementById('mediaGatewayEndpoint'),
+      serverVersion: document.getElementById('serverVersion'),
+      cameraGuid: document.getElementById('cameraGuid'),
+      startButton: document.getElementById('startButton'),
+      stopButton: document.getElementById('stopButton'),
+      liveButton: document.getElementById('liveButton'),
+      pauseButton: document.getElementById('pauseButton'),
+      resumeButton: document.getElementById('resumeButton'),
+      toggleAudioButton: document.getElementById('toggleAudioButton'),
+    };
+
+    elements.originDisplay.textContent = `Current origin: ${window.location.origin}`;
+
+    function setStatus(text) {
+      elements.statusChip.textContent = text;
+    }
+
+    function logLine(message, level = 'info') {
+      const line = document.createElement('div');
+      const stamp = new Date().toLocaleTimeString();
+      if (level !== 'info') {
+        line.classList.add(level);
+      }
+      line.textContent = `[${stamp}] ${message}`;
+      elements.log.prepend(line);
+    }
+
+    async function loadConfig() {
+      const response = await fetch('/api/config');
+      if (!response.ok) {
+        throw new Error(`Failed to load configuration: ${response.status}`);
+      }
+
+      state.config = await response.json();
+      elements.mediaGatewayEndpoint.value = state.config.mediaGatewayEndpoint ?? '';
+      elements.serverVersion.value = state.config.serverVersion ?? 'Use Media Gateway default';
+      logLine('Server configuration loaded');
+    }
+
+    async function ensureGwpLoaded(mediaGatewayEndpoint) {
+      const scriptUrl = `${mediaGatewayEndpoint}/v2/files/gwp.js`;
+
+      if (window.gwp && state.gwpLoadedFor === scriptUrl) {
+        return;
+      }
+
+      if (window.gwp && state.gwpLoadedFor !== scriptUrl) {
+        throw new Error('GWP was already loaded from a different Media Gateway. Refresh the page before switching servers.');
+      }
+
+      await new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = scriptUrl;
+        script.onload = resolve;
+        script.onerror = () => reject(new Error(`Failed to load ${scriptUrl}. Check certificate trust and endpoint correctness.`));
+        document.head.appendChild(script);
+      });
+
+      state.gwpLoadedFor = scriptUrl;
+      logLine(`Loaded gwp.js from ${scriptUrl}`);
+    }
+
+    function disposePlayer() {
+      if (!state.player) {
+        return;
+      }
+
+      try {
+        state.player.stop();
+      } catch {
+      }
+
+      try {
+        state.player.dispose();
+      } catch {
+      }
+
+      state.player = null;
+      setStatus('Stopped');
+      logLine('Player disposed');
+    }
+
+    function cancelPendingStart() {
+      if (state.activeStartGeneration === null) {
+        return false;
+      }
+
+      state.startGeneration++;
+      return true;
+    }
+
+    function buildTokenRetriever() {
+      return async (cameraId) => {
+        const response = await fetch(`/api/token/${encodeURIComponent(cameraId)}`);
+        if (!response.ok) {
+          throw new Error(`Token request failed: ${response.status}`);
+        }
+        return await response.text();
+      };
+    }
+
+    function wireEvents(player) {
+      player.onErrorStateRaised.register((error) => {
+        setStatus(`Error ${error.errorCode}`);
+        logLine(`Error ${error.errorCode}: ${error.value}`, 'error');
+      });
+
+      player.onPlayerStateChanged.register((event) => {
+        logLine(`Player state changed: ${event.playerState} ${event.value ?? ''}`.trim());
+      });
+
+      player.onStreamStatusChanged.register((event) => {
+        setStatus(event.state);
+        logLine(`Stream status: ${event.state} ${event.value ?? ''}`.trim());
+      });
+
+      player.onAudioStateChanged.register((event) => {
+        logLine(`Audio enabled: ${event.isAudioEnabled}`);
+      });
+
+      player.onAudioAvailabilityChanged.register((event) => {
+        logLine(`Audio available: ${event.isAudioAvailable}`);
+      });
+
+      player.onFrameRendered.register((frameTime) => {
+        setStatus(`Rendering ${frameTime.toISOString()}`);
+      });
+    }
+
+    async function startPlayer() {
+      if (state.activeStartGeneration !== null) {
+        logLine('A player startup is already in progress.', 'warn');
+        return;
+      }
+
+      const generation = ++state.startGeneration;
+      state.activeStartGeneration = generation;
+
+      function cancelled() {
+        return state.startGeneration !== generation;
+      }
+
+      let pendingPlayer = null;
+      try {
+        const mediaGatewayEndpoint = (state.config?.mediaGatewayEndpoint ?? '').trim().replace(/\/+$/, '');
+        const cameraGuid = elements.cameraGuid.value.trim();
+        const serverVersion = (state.config?.serverVersion ?? '').trim();
+
+        if (!mediaGatewayEndpoint) {
+          throw new Error('The Media Gateway endpoint is not configured.');
+        }
+
+        if (!cameraGuid) {
+          throw new Error('Camera GUID is required.');
+        }
+
+        await ensureGwpLoaded(mediaGatewayEndpoint);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during script load');
+          return;
+        }
+
+        disposePlayer();
+
+        const tokenRetriever = buildTokenRetriever();
+        pendingPlayer = window.gwp.buildPlayer(elements.playerContainer);
+        wireEvents(pendingPlayer);
+
+        logLine(`Starting player for ${cameraGuid}`);
+        await pendingPlayer.start(cameraGuid, mediaGatewayEndpoint, tokenRetriever, serverVersion || undefined);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during session establishment');
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+          pendingPlayer = null;
+          return;
+        }
+
+        pendingPlayer.playLive();
+        state.player = pendingPlayer;
+        pendingPlayer = null;
+        setStatus('Live');
+        logLine(`GWP version ${window.gwp.version()}`);
+        logLine('Live playback started');
+      } finally {
+        if (pendingPlayer) {
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+        }
+        if (state.activeStartGeneration === generation) {
+          state.activeStartGeneration = null;
+        }
+      }
+    }
+
+    elements.startButton.addEventListener('click', async () => {
+      try {
+        await startPlayer();
+      } catch (error) {
+        setStatus('Start failed');
+        logLine(error instanceof Error ? error.message : String(error), 'error');
+      }
+    });
+
+    elements.stopButton.addEventListener('click', () => {
+      if (cancelPendingStart()) {
+        setStatus('Cancelling');
+        logLine('Stop requested during startup');
+      }
+
+      disposePlayer();
+    });
+
+    elements.liveButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.playLive();
+      setStatus('Live');
+      logLine('Switched to live');
+    });
+
+    elements.pauseButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.pause();
+      setStatus('Paused');
+      logLine('Playback paused');
+    });
+
+    elements.resumeButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.resume();
+      setStatus('Resumed');
+      logLine('Playback resumed');
+    });
+
+    elements.toggleAudioButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      const nextValue = !state.player.isAudioEnabled;
+      state.player.setAudioEnabled(nextValue);
+      logLine(`Requested audio state ${nextValue}. Browser autoplay policy still applies.`, 'warn');
+    });
+
+    window.addEventListener('beforeunload', () => disposePlayer());
+
+    loadConfig().catch((error) => {
+      logLine(error instanceof Error ? error.message : String(error), 'error');
+    });
+
+    logLine('Page ready');
+  </script>
+</body>
+</html>
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj b/Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj
new file mode 100644
index 0000000..ac3a5c7
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj	
@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <AssemblyName>GwpRazorPagesSample</AssemblyName>
+    <RootNamespace>Genetec.Dap.CodeSamples</RootNamespace>
+    <Description>Sample project</Description>
+    <Company>Genetec Inc.</Company>
+    <Copyright>Copyright © Genetec Inc. 2025</Copyright>
+  </PropertyGroup>
+
+</Project>
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml
new file mode 100644
index 0000000..15ed63e
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml	
@@ -0,0 +1,540 @@
+@page
+@using System.Text.Json
+@model Genetec.Dap.CodeSamples.Pages.IndexModel
+@{
+    Layout = null;
+    var nonce = Model.CspNonce;
+}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>GWP Razor Pages Sample</title>
+  <style nonce="@nonce">
+    :root {
+      --bg: #edf3f8;
+      --surface: rgba(255, 255, 255, 0.92);
+      --surface-strong: #ffffff;
+      --ink: #102033;
+      --muted: #54667a;
+      --line: #d6e0ea;
+      --accent: #0f766e;
+      --accent-strong: #115e59;
+      --warning: #92400e;
+      --danger: #b91c1c;
+      --shadow: 0 24px 60px rgba(16, 32, 51, 0.12);
+    }
+
+    * {
+      box-sizing: border-box;
+    }
+
+    body {
+      margin: 0;
+      font-family: "Segoe UI", "Aptos", sans-serif;
+      color: var(--ink);
+      background:
+        radial-gradient(circle at top left, rgba(15, 118, 110, 0.12), transparent 28%),
+        radial-gradient(circle at right, rgba(22, 101, 52, 0.10), transparent 22%),
+        linear-gradient(180deg, #f8fbfd 0%, var(--bg) 100%);
+      min-height: 100vh;
+    }
+
+    html,
+    body {
+      height: 100%;
+    }
+
+    .shell {
+      display: grid;
+      grid-template-columns: 360px minmax(0, 1fr);
+      gap: 18px;
+      padding: 18px;
+      min-height: 100vh;
+      height: 100vh;
+    }
+
+    .panel {
+      background: var(--surface);
+      backdrop-filter: blur(10px);
+      border: 1px solid var(--line);
+      border-radius: 22px;
+      box-shadow: var(--shadow);
+      min-height: 0;
+    }
+
+    .controls {
+      padding: 22px;
+      display: flex;
+      flex-direction: column;
+      gap: 18px;
+      min-height: 0;
+      overflow: auto;
+    }
+
+    .lede {
+      margin: 8px 0 0;
+      color: var(--muted);
+      line-height: 1.45;
+    }
+
+    .origin {
+      margin-top: 8px;
+      padding: 10px 12px;
+      border-radius: 12px;
+      background: #ecfdf5;
+      border: 1px solid #a7f3d0;
+      color: #065f46;
+      font-size: 0.95rem;
+    }
+
+    .field-grid {
+      display: grid;
+      gap: 12px;
+    }
+
+    label {
+      display: grid;
+      gap: 6px;
+      font-size: 0.92rem;
+      color: var(--muted);
+    }
+
+    input {
+      width: 100%;
+      padding: 11px 12px;
+      border-radius: 12px;
+      border: 1px solid var(--line);
+      background: var(--surface-strong);
+      color: var(--ink);
+      font: inherit;
+    }
+
+    .actions {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 10px;
+    }
+
+    button {
+      appearance: none;
+      border: none;
+      border-radius: 999px;
+      padding: 10px 16px;
+      font: inherit;
+      cursor: pointer;
+      transition: transform 120ms ease, opacity 120ms ease, background-color 120ms ease;
+    }
+
+    button:hover {
+      transform: translateY(-1px);
+    }
+
+    button.primary {
+      background: var(--accent);
+      color: white;
+    }
+
+    button.primary:hover {
+      background: var(--accent-strong);
+    }
+
+    button.secondary {
+      background: #dce8f2;
+      color: var(--ink);
+    }
+
+    .stage {
+      display: flex;
+      flex-direction: column;
+      min-height: 0;
+      overflow: hidden;
+    }
+
+    .stage-header {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      padding: 18px 22px 0;
+    }
+
+    .status-chip {
+      padding: 8px 12px;
+      border-radius: 999px;
+      background: #e0f2fe;
+      color: #075985;
+      font-size: 0.9rem;
+    }
+
+    #playerContainer {
+      margin: 18px 22px 14px;
+      width: auto;
+      aspect-ratio: 16 / 9;
+      min-height: 320px;
+      max-height: min(56vh, 560px);
+      flex: 0 0 auto;
+      border-radius: 20px;
+      overflow: hidden;
+      position: relative;
+      background:
+        linear-gradient(135deg, #07111f 0%, #11263f 100%);
+      border: 1px solid #17324f;
+    }
+
+    #playerContainer::before {
+      content: "GWP video surface";
+      position: absolute;
+      inset: 16px auto auto 16px;
+      padding: 6px 10px;
+      border-radius: 999px;
+      background: rgba(12, 23, 42, 0.65);
+      color: rgba(255, 255, 255, 0.72);
+      font-size: 0.82rem;
+      letter-spacing: 0.03em;
+      z-index: 0;
+    }
+
+    .log {
+      margin: 0 22px 22px;
+      padding: 14px;
+      border-radius: 16px;
+      background: #08111f;
+      color: #d8e6f5;
+      min-height: 180px;
+      overflow: auto;
+      flex: 1 1 auto;
+      height: 100%;
+      font: 0.88rem/1.45 Consolas, "Cascadia Code", monospace;
+      white-space: pre-wrap;
+    }
+
+    .log .error {
+      color: #fca5a5;
+    }
+
+    .log .warn {
+      color: #fdba74;
+    }
+
+    @@media (max-width: 1100px) {
+      .shell {
+        grid-template-columns: 1fr;
+        height: auto;
+      }
+
+      #playerContainer {
+        min-height: 240px;
+        max-height: min(42vh, 420px);
+      }
+    }
+  </style>
+</head>
+<body>
+  <div class="shell">
+    <section class="panel controls">
+      <div>
+        <p class="lede">This page runs with the origin shown below. Add that origin to the Media Gateway allowed origins list when strict CORS is enabled.</p>
+        <div class="origin" id="originDisplay"></div>
+      </div>
+
+      <div class="field-grid">
+        <label>
+          Media Gateway endpoint
+          <input id="mediaGatewayEndpoint" type="text" value="@Model.MediaGatewayEndpoint" readonly>
+        </label>
+        <label>
+          Server version
+          <input id="serverVersion" type="text" value="@(Model.ServerVersion ?? "Use Media Gateway default")" readonly>
+        </label>
+        <label>
+          Camera GUID
+          <input id="cameraGuid" type="text" placeholder="00000000-0000-0000-0000-000000000000" spellcheck="false">
+        </label>
+      </div>
+
+      <div class="actions">
+        <button id="startButton" class="primary">Start Player</button>
+        <button id="stopButton" class="secondary">Stop</button>
+        <button id="liveButton" class="secondary">Live</button>
+        <button id="pauseButton" class="secondary">Pause</button>
+        <button id="resumeButton" class="secondary">Resume</button>
+        <button id="toggleAudioButton" class="secondary">Toggle Audio</button>
+      </div>
+
+    </section>
+
+    <section class="panel stage">
+      <div class="stage-header">
+        <div id="statusChip" class="status-chip">Idle</div>
+      </div>
+
+      <div id="playerContainer"></div>
+      <div id="log" class="log"></div>
+    </section>
+  </div>
+
+  <script nonce="@nonce">
+    const hostConfig = Object.freeze(@Html.Raw(JsonSerializer.Serialize(new {
+      mediaGatewayEndpoint = Model.MediaGatewayEndpoint,
+      serverVersion = Model.ServerVersion ?? "",
+    })));
+
+    const state = {
+      player: null,
+      gwpLoadedFor: null,
+      startGeneration: 0,
+      activeStartGeneration: null,
+    };
+
+    const elements = {
+      originDisplay: document.getElementById('originDisplay'),
+      statusChip: document.getElementById('statusChip'),
+      log: document.getElementById('log'),
+      playerContainer: document.getElementById('playerContainer'),
+      cameraGuid: document.getElementById('cameraGuid'),
+      startButton: document.getElementById('startButton'),
+      stopButton: document.getElementById('stopButton'),
+      liveButton: document.getElementById('liveButton'),
+      pauseButton: document.getElementById('pauseButton'),
+      resumeButton: document.getElementById('resumeButton'),
+      toggleAudioButton: document.getElementById('toggleAudioButton'),
+    };
+
+    elements.originDisplay.textContent = `Current origin: ${window.location.origin}`;
+
+    function setStatus(text) {
+      elements.statusChip.textContent = text;
+    }
+
+    function logLine(message, level = 'info') {
+      const line = document.createElement('div');
+      const stamp = new Date().toLocaleTimeString();
+      if (level !== 'info') {
+        line.classList.add(level);
+      }
+      line.textContent = `[${stamp}] ${message}`;
+      elements.log.prepend(line);
+    }
+
+    async function ensureGwpLoaded(mediaGatewayEndpoint) {
+      const scriptUrl = `${mediaGatewayEndpoint}/v2/files/gwp.js`;
+
+      if (window.gwp && state.gwpLoadedFor === scriptUrl) {
+        return;
+      }
+
+      if (window.gwp && state.gwpLoadedFor !== scriptUrl) {
+        throw new Error('GWP was already loaded from a different Media Gateway. Refresh the page before switching servers.');
+      }
+
+      await new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = scriptUrl;
+        script.onload = resolve;
+        script.onerror = () => reject(new Error(`Failed to load ${scriptUrl}. Check certificate trust and endpoint correctness.`));
+        document.head.appendChild(script);
+      });
+
+      state.gwpLoadedFor = scriptUrl;
+      logLine(`Loaded gwp.js from ${scriptUrl}`);
+    }
+
+    function disposePlayer() {
+      if (!state.player) {
+        return;
+      }
+
+      try {
+        state.player.stop();
+      } catch {
+      }
+
+      try {
+        state.player.dispose();
+      } catch {
+      }
+
+      state.player = null;
+      setStatus('Stopped');
+      logLine('Player disposed');
+    }
+
+    function cancelPendingStart() {
+      if (state.activeStartGeneration === null) {
+        return false;
+      }
+
+      state.startGeneration++;
+      return true;
+    }
+
+    function buildTokenRetriever() {
+      return async (cameraId) => {
+        const response = await fetch(`/api/token/${encodeURIComponent(cameraId)}`);
+        if (!response.ok) {
+          throw new Error(`Token request failed: ${response.status}`);
+        }
+        return await response.text();
+      };
+    }
+
+    function wireEvents(player) {
+      player.onErrorStateRaised.register((error) => {
+        setStatus(`Error ${error.errorCode}`);
+        logLine(`Error ${error.errorCode}: ${error.value}`, 'error');
+      });
+
+      player.onPlayerStateChanged.register((event) => {
+        logLine(`Player state changed: ${event.playerState} ${event.value ?? ''}`.trim());
+      });
+
+      player.onStreamStatusChanged.register((event) => {
+        setStatus(event.state);
+        logLine(`Stream status: ${event.state} ${event.value ?? ''}`.trim());
+      });
+
+      player.onAudioStateChanged.register((event) => {
+        logLine(`Audio enabled: ${event.isAudioEnabled}`);
+      });
+
+      player.onAudioAvailabilityChanged.register((event) => {
+        logLine(`Audio available: ${event.isAudioAvailable}`);
+      });
+
+      player.onFrameRendered.register((frameTime) => {
+        setStatus(`Rendering ${frameTime.toISOString()}`);
+      });
+    }
+
+    async function startPlayer() {
+      if (state.activeStartGeneration !== null) {
+        logLine('A player startup is already in progress.', 'warn');
+        return;
+      }
+
+      const generation = ++state.startGeneration;
+      state.activeStartGeneration = generation;
+
+      function cancelled() {
+        return state.startGeneration !== generation;
+      }
+
+      let pendingPlayer = null;
+      try {
+        const mediaGatewayEndpoint = (hostConfig.mediaGatewayEndpoint ?? '').trim().replace(/\/+$/, '');
+        const cameraGuid = elements.cameraGuid.value.trim();
+        const serverVersion = (hostConfig.serverVersion ?? '').trim();
+
+        if (!mediaGatewayEndpoint) {
+          throw new Error('The Media Gateway endpoint is not configured.');
+        }
+
+        if (!cameraGuid) {
+          throw new Error('Camera GUID is required.');
+        }
+
+        await ensureGwpLoaded(mediaGatewayEndpoint);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during script load');
+          return;
+        }
+
+        disposePlayer();
+
+        const tokenRetriever = buildTokenRetriever();
+        pendingPlayer = window.gwp.buildPlayer(elements.playerContainer);
+        wireEvents(pendingPlayer);
+
+        logLine(`Starting player for ${cameraGuid}`);
+        await pendingPlayer.start(cameraGuid, mediaGatewayEndpoint, tokenRetriever, serverVersion || undefined);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during session establishment');
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+          pendingPlayer = null;
+          return;
+        }
+
+        pendingPlayer.playLive();
+        state.player = pendingPlayer;
+        pendingPlayer = null;
+        setStatus('Live');
+        logLine(`GWP version ${window.gwp.version()}`);
+        logLine('Live playback started');
+      } finally {
+        if (pendingPlayer) {
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+        }
+        if (state.activeStartGeneration === generation) {
+          state.activeStartGeneration = null;
+        }
+      }
+    }
+
+    elements.startButton.addEventListener('click', async () => {
+      try {
+        await startPlayer();
+      } catch (error) {
+        setStatus('Start failed');
+        logLine(error instanceof Error ? error.message : String(error), 'error');
+      }
+    });
+
+    elements.stopButton.addEventListener('click', () => {
+      if (cancelPendingStart()) {
+        setStatus('Cancelling');
+        logLine('Stop requested during startup');
+      }
+
+      disposePlayer();
+    });
+
+    elements.liveButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.playLive();
+      setStatus('Live');
+      logLine('Switched to live');
+    });
+
+    elements.pauseButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.pause();
+      setStatus('Paused');
+      logLine('Playback paused');
+    });
+
+    elements.resumeButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.resume();
+      setStatus('Resumed');
+      logLine('Playback resumed');
+    });
+
+    elements.toggleAudioButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      const nextValue = !state.player.isAudioEnabled;
+      state.player.setAudioEnabled(nextValue);
+      logLine(`Requested audio state ${nextValue}. Browser autoplay policy still applies.`, 'warn');
+    });
+
+    window.addEventListener('beforeunload', () => disposePlayer());
+    logLine('Page ready');
+  </script>
+</body>
+</html>
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs
new file mode 100644
index 0000000..0d9d9a5
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs	
@@ -0,0 +1,29 @@
+// Copyright 2025 Genetec Inc.
+// Licensed under the Apache License, Version 2.0
+
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace Genetec.Dap.CodeSamples.Pages;
+
+public class IndexModel : PageModel
+{
+    public string MediaGatewayEndpoint { get; private set; } = string.Empty;
+
+    public string? ServerVersion { get; private set; }
+
+    public string CspNonce { get; private set; } = string.Empty;
+
+    private readonly MediaGatewayOptions m_options;
+
+    public IndexModel(MediaGatewayOptions options)
+    {
+        m_options = options;
+    }
+
+    public void OnGet()
+    {
+        MediaGatewayEndpoint = m_options.Endpoint;
+        ServerVersion = m_options.ServerVersion;
+        CspNonce = HttpContext.Items["CspNonce"] as string ?? string.Empty;
+    }
+}
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs b/Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs
new file mode 100644
index 0000000..3405cb6
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs	
@@ -0,0 +1,86 @@
+// Copyright 2025 Genetec Inc.
+// Licensed under the Apache License, Version 2.0
+
+using System.Net.Http.Headers;
+using System.Security.Cryptography;
+using System.Text;
+
+var builder = WebApplication.CreateBuilder(args);
+
+var mediaGateway = builder.Configuration.GetSection("MediaGateway");
+var endpoint = mediaGateway["Endpoint"]?.TrimEnd('/') ?? throw new InvalidOperationException("MediaGateway:Endpoint is required.");
+var username = mediaGateway["Username"] ?? throw new InvalidOperationException("MediaGateway:Username is required.");
+var password = mediaGateway["Password"] ?? string.Empty;
+var sdkCertificate = mediaGateway["SdkCertificate"] ?? throw new InvalidOperationException("MediaGateway:SdkCertificate is required.");
+var serverVersion = mediaGateway["ServerVersion"];
+
+var authorizationParameter = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username};{sdkCertificate}:{password}"));
+
+builder.Services.AddRazorPages();
+
+builder.Services.AddHttpClient("MediaGateway", client =>
+{
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", authorizationParameter);
+}).ConfigurePrimaryHttpMessageHandler(() =>
+{
+    var handler = new HttpClientHandler();
+    if (builder.Environment.IsDevelopment())
+    {
+        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+    }
+    return handler;
+});
+
+builder.Services.AddSingleton(new MediaGatewayOptions
+{
+    Endpoint = endpoint,
+    ServerVersion = string.IsNullOrWhiteSpace(serverVersion) ? null : serverVersion.Trim(),
+});
+
+var app = builder.Build();
+
+app.Use(async (context, next) =>
+{
+    var nonce = Convert.ToBase64String(RandomNumberGenerator.GetBytes(16));
+    context.Items["CspNonce"] = nonce;
+
+    context.Response.Headers["Content-Security-Policy"] = string.Join("; ",
+        "default-src 'self' https:",
+        $"script-src 'self' https: 'nonce-{nonce}'",
+        $"style-src 'self' 'nonce-{nonce}'",
+        "connect-src 'self' https: wss:",
+        "media-src https: blob:");
+
+    await next();
+});
+
+app.UseStaticFiles();
+app.UseRouting();
+app.MapRazorPages();
+
+app.MapGet("/api/token/{cameraId}", async (string cameraId, IHttpClientFactory httpClientFactory) =>
+{
+    if (string.IsNullOrWhiteSpace(cameraId))
+    {
+        return Results.BadRequest("A camera GUID is required.");
+    }
+
+    var client = httpClientFactory.CreateClient("MediaGateway");
+    var response = await client.GetAsync($"{endpoint}/v2/token/{Uri.EscapeDataString(cameraId.Trim())}");
+
+    if (!response.IsSuccessStatusCode)
+    {
+        return Results.StatusCode((int)response.StatusCode);
+    }
+
+    var token = await response.Content.ReadAsStringAsync();
+    return Results.Text(token);
+});
+
+app.Run();
+
+public class MediaGatewayOptions
+{
+    public required string Endpoint { get; init; }
+    public string? ServerVersion { get; init; }
+}
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json b/Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json
new file mode 100644
index 0000000..c65cb95
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json	
@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "GwpRazorPagesSample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:65426;http://localhost:65427"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md
new file mode 100644
index 0000000..82e68ef
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
@@ -0,0 +1,93 @@
+# GWP Razor Pages Sample
+
+This sample demonstrates hosting the Genetec Web Player inside an ASP.NET Core Razor Pages application with production-ready CSP nonce support:
+
+- ASP.NET Core serves a Razor Page that loads and runs GWP.
+- The page is server-rendered, so the Media Gateway endpoint and server version are injected directly into the markup. No client-side configuration fetch is needed.
+- A per-request cryptographic CSP nonce is generated in middleware, added to the `Content-Security-Policy` response header, and passed to each `<script>` and `<style>` tag via the Razor page model. This eliminates the need for `'unsafe-inline'`.
+- A server-side `/api/token/{cameraId}` endpoint proxies token requests to the Media Gateway using credentials from `appsettings.json`. Media Gateway credentials never reach the browser.
+- The page loads `gwp.js` directly from the target Media Gateway and uses the browser environment GWP expects.
+
+Compared to the Minimal API sample, this sample adds:
+
+- **CSP nonces** instead of `'unsafe-inline'`, demonstrating how to tighten the Content Security Policy for production use.
+- **Server-rendered configuration** injected directly into the Razor markup, removing the need for a separate `/api/config` endpoint.
+
+## Run
+
+```powershell
+dotnet run
+```
+
+Then open the URL shown in the console output (for example, `https://localhost:5001`).
+
+### Configuration
+
+Media Gateway settings are configured in `appsettings.json`:
+
+```json
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}
+```
+
+You can also use environment variables or user secrets:
+
+```powershell
+dotnet user-secrets init
+dotnet user-secrets set "MediaGateway:Password" "your-password"
+```
+
+## Required environment setup
+
+### 1. Trust the Media Gateway certificate
+
+If the Media Gateway certificate is self-signed or otherwise untrusted, the browser will fail to load `gwp.js` or connect to the gateway.
+
+For development, the sample automatically allows certificate warnings when connecting to the Media Gateway from the server-side token endpoint. The browser must still trust the certificate for the `gwp.js` script load and WebSocket connections. Add the certificate to the browser's trust store or use a trusted certificate.
+
+### 2. Allow the page origin in Media Gateway CORS
+
+If strict CORS is enabled, add the ASP.NET application origin (the URL shown when you run the app, for example `https://localhost:5001`) to `MediaGateway.gconfig`:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+    <MediaGateway EnforceStrictCrossOrigin="true">
+        <!-- Replace https://localhost:5001 with the actual ASP.NET app origin shown in the console or configured in applicationUrl -->
+        <AllowedOrigin Origin="https://localhost:5001" />
+    </MediaGateway>
+</Configuration>
+```
+
+Restart the Media Gateway role after the change.
+
+### 3. Use a matching GWP build
+
+The sample loads `gwp.js` from `${mediaGatewayEndpoint}/v2/files/gwp.js` so the player version matches the Security Center version.
+
+## CSP nonce implementation
+
+The Content Security Policy is enforced via HTTP response header, not a meta tag. Each request receives a fresh cryptographic nonce:
+
+1. **Middleware** in `Program.cs` generates a random nonce using `RandomNumberGenerator`, stores it in `HttpContext.Items`, and writes the `Content-Security-Policy` header.
+2. **Page model** (`Index.cshtml.cs`) reads the nonce from `HttpContext.Items` and exposes it as a property.
+3. **Razor markup** (`Index.cshtml`) applies the nonce to each `<script nonce="@nonce">` and `<style nonce="@nonce">` tag.
+
+Because the nonce is unique per request and cryptographically random, inline scripts and styles are allowed only when they carry the correct nonce. An attacker who injects markup cannot predict the nonce value.
+
+## Scope and limitations
+
+- This sample demonstrates a feasible hosting pattern. It is not a production-ready security design.
+- This sample has no user authentication. Anyone who can reach the application can view camera streams. A real application must add its own authentication layer to control who can access the application.
+- Media Gateway credentials are stored in `appsettings.json`. For production, use a secure configuration provider such as user secrets, Azure Key Vault, or environment variables.
+- The default SDK certificate is the Genetec development certificate intended for SDK development only.
+- Player startup is cancellable. Clicking Stop during script load or session establishment cancels the in-flight start and cleans up any partially created player.
+- Browser autoplay rules apply to audio.
+- Video rendering and overlays remain in the HTML layer, not the ASP.NET server.
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json b/Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json
new file mode 100644
index 0000000..a5e1b2a
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json	
@@ -0,0 +1,9 @@
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}