From a831c492c4018df6e10881d84fe0680dae3b2569 Mon Sep 17 00:00:00 2001
From: Andre Lafleur <alafleur@genetec.com>
Date: Thu, 2 Apr 2026 16:45:50 +0800
Subject: [PATCH 1/6] feat: add GWP Minimal API and Razor Pages hosting samples

Two ASP.NET Core samples demonstrating server-side token proxy
patterns for hosting the Genetec Web Player:

- GwpMinimalApiSample: single Program.cs with static HTML page
- GwpRazorPagesSample: Razor Pages with per-request CSP nonces
  and server-rendered configuration via JsonSerializer.Serialize

Both samples include proper player lifecycle cleanup on failed
start and cancellable startup with generation tracking.
---
 .../GwpMinimalApiSample.csproj                |  14 +
 .../GwpMinimalApiSample/Program.cs            |  62 ++
 .../Properties/launchSettings.json            |  12 +
 .../GwpMinimalApiSample/README.md             |  82 +++
 .../GwpMinimalApiSample/appsettings.json      |   9 +
 .../GwpMinimalApiSample/wwwroot/index.html    | 549 ++++++++++++++++++
 .../GwpRazorPagesSample.csproj                |  14 +
 .../GwpRazorPagesSample/Pages/Index.cshtml    | 540 +++++++++++++++++
 .../GwpRazorPagesSample/Pages/Index.cshtml.cs |  29 +
 .../GwpRazorPagesSample/Program.cs            |  86 +++
 .../Properties/launchSettings.json            |  12 +
 .../GwpRazorPagesSample/README.md             |  95 +++
 .../GwpRazorPagesSample/appsettings.json      |   9 +
 13 files changed, 1513 insertions(+)
 create mode 100644 Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj
 create mode 100644 Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs
 create mode 100644 Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json
 create mode 100644 Samples/Genetec Web Player/GwpMinimalApiSample/README.md
 create mode 100644 Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json
 create mode 100644 Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/README.md
 create mode 100644 Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json

diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj b/Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj
new file mode 100644
index 0000000..a555ab3
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/GwpMinimalApiSample.csproj	
@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <AssemblyName>GwpMinimalApiSample</AssemblyName>
+    <RootNamespace>Genetec.Dap.CodeSamples</RootNamespace>
+    <Description>Sample project</Description>
+    <Company>Genetec Inc.</Company>
+    <Copyright>Copyright © Genetec Inc. 2025</Copyright>
+  </PropertyGroup>
+
+</Project>
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs b/Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs
new file mode 100644
index 0000000..54ac4a7
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/Program.cs	
@@ -0,0 +1,62 @@
+// Copyright 2025 Genetec Inc.
+// Licensed under the Apache License, Version 2.0
+
+using System.Net.Http.Headers;
+using System.Text;
+
+var builder = WebApplication.CreateBuilder(args);
+
+var mediaGateway = builder.Configuration.GetSection("MediaGateway");
+var endpoint = mediaGateway["Endpoint"]?.TrimEnd('/') ?? throw new InvalidOperationException("MediaGateway:Endpoint is required.");
+var username = mediaGateway["Username"] ?? throw new InvalidOperationException("MediaGateway:Username is required.");
+var password = mediaGateway["Password"] ?? string.Empty;
+var sdkCertificate = mediaGateway["SdkCertificate"] ?? throw new InvalidOperationException("MediaGateway:SdkCertificate is required.");
+var serverVersion = mediaGateway["ServerVersion"];
+
+var authorizationParameter = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username};{sdkCertificate}:{password}"));
+
+builder.Services.AddHttpClient("MediaGateway", client =>
+{
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", authorizationParameter);
+}).ConfigurePrimaryHttpMessageHandler(() =>
+{
+    var handler = new HttpClientHandler();
+    if (builder.Environment.IsDevelopment())
+    {
+        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+    }
+    return handler;
+});
+
+var app = builder.Build();
+
+app.UseStaticFiles();
+
+app.MapGet("/api/config", () => Results.Ok(new
+{
+    mediaGatewayEndpoint = endpoint,
+    serverVersion = string.IsNullOrWhiteSpace(serverVersion) ? null : serverVersion.Trim(),
+}));
+
+app.MapGet("/api/token/{cameraId}", async (string cameraId, IHttpClientFactory httpClientFactory) =>
+{
+    if (string.IsNullOrWhiteSpace(cameraId))
+    {
+        return Results.BadRequest("A camera GUID is required.");
+    }
+
+    var client = httpClientFactory.CreateClient("MediaGateway");
+    var response = await client.GetAsync($"{endpoint}/v2/token/{Uri.EscapeDataString(cameraId.Trim())}");
+
+    if (!response.IsSuccessStatusCode)
+    {
+        return Results.StatusCode((int)response.StatusCode);
+    }
+
+    var token = await response.Content.ReadAsStringAsync();
+    return Results.Text(token);
+});
+
+app.MapFallbackToFile("index.html");
+
+app.Run();
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json b/Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json
new file mode 100644
index 0000000..a626612
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/Properties/launchSettings.json	
@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "GwpMinimalApiSample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:59205;http://localhost:59206"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md
new file mode 100644
index 0000000..867a9e1
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
@@ -0,0 +1,82 @@
+# GWP Minimal API Sample
+
+This sample demonstrates hosting the Genetec Web Player inside an ASP.NET Core Minimal API application:
+
+- ASP.NET Core serves a static HTML page that loads and runs GWP.
+- A server-side `/api/token/{cameraId}` endpoint proxies token requests to the Media Gateway using credentials from `appsettings.json`. Media Gateway credentials never reach the browser.
+- A `/api/config` endpoint provides the Media Gateway endpoint and server version to the page without exposing authentication details.
+- The page loads `gwp.js` directly from the target Media Gateway and uses the browser environment GWP expects.
+
+## Why this shape
+
+GWP is a browser-oriented JavaScript library. It depends on DOM containers, HTML video and audio elements, canvas, WebSockets, and Media Source Extensions. ASP.NET Core serves the page and handles authentication server-side, while the browser provides the media runtime GWP requires.
+
+This is the simplest possible web hosting model for GWP: one `Program.cs`, one static HTML file, and one configuration file.
+
+## Run
+
+```powershell
+dotnet run
+```
+
+Then open the URL shown in the console output (for example, `https://localhost:5001`).
+
+### Configuration
+
+Media Gateway settings are configured in `appsettings.json`:
+
+```json
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}
+```
+
+You can also use environment variables or user secrets:
+
+```powershell
+dotnet user-secrets set "MediaGateway:Password" "your-password"
+```
+
+## Required environment setup
+
+### 1. Trust the Media Gateway certificate
+
+If the Media Gateway certificate is self-signed or otherwise untrusted, the browser will fail to load `gwp.js` or connect to the gateway.
+
+For development, the sample automatically allows certificate warnings when connecting to the Media Gateway from the server-side token endpoint. The browser must still trust the certificate for the `gwp.js` script load and WebSocket connections. Add the certificate to the browser's trust store or use a trusted certificate.
+
+### 2. Allow the page origin in Media Gateway CORS
+
+If strict CORS is enabled, add the ASP.NET application origin to `MediaGateway.gconfig`:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+    <MediaGateway EnforceStrictCrossOrigin="true">
+        <AllowedOrigin Origin="https://localhost:5001" />
+    </MediaGateway>
+</Configuration>
+```
+
+Restart the Media Gateway role after the change.
+
+### 3. Use a matching GWP build
+
+The sample loads `gwp.js` from `${mediaGatewayEndpoint}/v2/files/gwp.js` so the player version matches the Security Center version.
+
+## Scope and limitations
+
+- This sample demonstrates a feasible hosting pattern. It is not a production-ready security design.
+- The `/api/token/{cameraId}` endpoint has no authentication. Any client that can reach the server can request camera tokens. A real application must add its own user authentication layer in front of this endpoint.
+- Media Gateway credentials are stored in `appsettings.json`. For production, use a secure configuration provider such as user secrets, Azure Key Vault, or environment variables.
+- The default SDK certificate is the Genetec development certificate intended for SDK development only.
+- A Content Security Policy meta tag restricts script sources, connections, and media to `self`, `https:`, `wss:`, and `blob:`. The policy allows `'unsafe-inline'` for scripts and styles because the page uses inline markup. The Razor Pages sample demonstrates how to use CSP nonces instead.
+- Player startup is cancellable. Clicking Stop during script load or session establishment cancels the in-flight start and cleans up any partially created player.
+- Browser autoplay rules apply to audio.
+- Video rendering and overlays remain in the HTML layer, not the ASP.NET server.
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json b/Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json
new file mode 100644
index 0000000..a5e1b2a
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/appsettings.json	
@@ -0,0 +1,9 @@
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}
diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html b/Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html
new file mode 100644
index 0000000..c1255b5
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/wwwroot/index.html	
@@ -0,0 +1,549 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <meta http-equiv="Content-Security-Policy" content="default-src 'self' https:; script-src 'self' https: 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self' https: wss:; media-src https: blob:;">
+  <title>GWP Minimal API Sample</title>
+  <style>
+    :root {
+      --bg: #edf3f8;
+      --surface: rgba(255, 255, 255, 0.92);
+      --surface-strong: #ffffff;
+      --ink: #102033;
+      --muted: #54667a;
+      --line: #d6e0ea;
+      --accent: #0f766e;
+      --accent-strong: #115e59;
+      --warning: #92400e;
+      --danger: #b91c1c;
+      --shadow: 0 24px 60px rgba(16, 32, 51, 0.12);
+    }
+
+    * {
+      box-sizing: border-box;
+    }
+
+    body {
+      margin: 0;
+      font-family: "Segoe UI", "Aptos", sans-serif;
+      color: var(--ink);
+      background:
+        radial-gradient(circle at top left, rgba(15, 118, 110, 0.12), transparent 28%),
+        radial-gradient(circle at right, rgba(22, 101, 52, 0.10), transparent 22%),
+        linear-gradient(180deg, #f8fbfd 0%, var(--bg) 100%);
+      min-height: 100vh;
+    }
+
+    html,
+    body {
+      height: 100%;
+    }
+
+    .shell {
+      display: grid;
+      grid-template-columns: 360px minmax(0, 1fr);
+      gap: 18px;
+      padding: 18px;
+      min-height: 100vh;
+      height: 100vh;
+    }
+
+    .panel {
+      background: var(--surface);
+      backdrop-filter: blur(10px);
+      border: 1px solid var(--line);
+      border-radius: 22px;
+      box-shadow: var(--shadow);
+      min-height: 0;
+    }
+
+    .controls {
+      padding: 22px;
+      display: flex;
+      flex-direction: column;
+      gap: 18px;
+      min-height: 0;
+      overflow: auto;
+    }
+
+    .lede {
+      margin: 8px 0 0;
+      color: var(--muted);
+      line-height: 1.45;
+    }
+
+    .origin {
+      margin-top: 8px;
+      padding: 10px 12px;
+      border-radius: 12px;
+      background: #ecfdf5;
+      border: 1px solid #a7f3d0;
+      color: #065f46;
+      font-size: 0.95rem;
+    }
+
+    .field-grid {
+      display: grid;
+      gap: 12px;
+    }
+
+    label {
+      display: grid;
+      gap: 6px;
+      font-size: 0.92rem;
+      color: var(--muted);
+    }
+
+    input {
+      width: 100%;
+      padding: 11px 12px;
+      border-radius: 12px;
+      border: 1px solid var(--line);
+      background: var(--surface-strong);
+      color: var(--ink);
+      font: inherit;
+    }
+
+    .actions {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 10px;
+    }
+
+    button {
+      appearance: none;
+      border: none;
+      border-radius: 999px;
+      padding: 10px 16px;
+      font: inherit;
+      cursor: pointer;
+      transition: transform 120ms ease, opacity 120ms ease, background-color 120ms ease;
+    }
+
+    button:hover {
+      transform: translateY(-1px);
+    }
+
+    button.primary {
+      background: var(--accent);
+      color: white;
+    }
+
+    button.primary:hover {
+      background: var(--accent-strong);
+    }
+
+    button.secondary {
+      background: #dce8f2;
+      color: var(--ink);
+    }
+
+    .stage {
+      display: flex;
+      flex-direction: column;
+      min-height: 0;
+      overflow: hidden;
+    }
+
+    .stage-header {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      padding: 18px 22px 0;
+    }
+
+    .status-chip {
+      padding: 8px 12px;
+      border-radius: 999px;
+      background: #e0f2fe;
+      color: #075985;
+      font-size: 0.9rem;
+    }
+
+    #playerContainer {
+      margin: 18px 22px 14px;
+      width: auto;
+      aspect-ratio: 16 / 9;
+      min-height: 320px;
+      max-height: min(56vh, 560px);
+      flex: 0 0 auto;
+      border-radius: 20px;
+      overflow: hidden;
+      position: relative;
+      background:
+        linear-gradient(135deg, #07111f 0%, #11263f 100%);
+      border: 1px solid #17324f;
+    }
+
+    #playerContainer::before {
+      content: "GWP video surface";
+      position: absolute;
+      inset: 16px auto auto 16px;
+      padding: 6px 10px;
+      border-radius: 999px;
+      background: rgba(12, 23, 42, 0.65);
+      color: rgba(255, 255, 255, 0.72);
+      font-size: 0.82rem;
+      letter-spacing: 0.03em;
+      z-index: 0;
+    }
+
+    .log {
+      margin: 0 22px 22px;
+      padding: 14px;
+      border-radius: 16px;
+      background: #08111f;
+      color: #d8e6f5;
+      min-height: 180px;
+      overflow: auto;
+      flex: 1 1 auto;
+      height: 100%;
+      font: 0.88rem/1.45 Consolas, "Cascadia Code", monospace;
+      white-space: pre-wrap;
+    }
+
+    .log .error {
+      color: #fca5a5;
+    }
+
+    .log .warn {
+      color: #fdba74;
+    }
+
+    @media (max-width: 1100px) {
+      .shell {
+        grid-template-columns: 1fr;
+        height: auto;
+      }
+
+      #playerContainer {
+        min-height: 240px;
+        max-height: min(42vh, 420px);
+      }
+    }
+  </style>
+</head>
+<body>
+  <div class="shell">
+    <section class="panel controls">
+      <div>
+        <p class="lede">This page runs with the origin shown below. Add that origin to the Media Gateway allowed origins list when strict CORS is enabled.</p>
+        <div class="origin" id="originDisplay"></div>
+      </div>
+
+      <div class="field-grid">
+        <label>
+          Media Gateway endpoint
+          <input id="mediaGatewayEndpoint" type="text" readonly>
+        </label>
+        <label>
+          Server version
+          <input id="serverVersion" type="text" readonly>
+        </label>
+        <label>
+          Camera GUID
+          <input id="cameraGuid" type="text" placeholder="00000000-0000-0000-0000-000000000000" spellcheck="false">
+        </label>
+      </div>
+
+      <div class="actions">
+        <button id="startButton" class="primary">Start Player</button>
+        <button id="stopButton" class="secondary">Stop</button>
+        <button id="liveButton" class="secondary">Live</button>
+        <button id="pauseButton" class="secondary">Pause</button>
+        <button id="resumeButton" class="secondary">Resume</button>
+        <button id="toggleAudioButton" class="secondary">Toggle Audio</button>
+      </div>
+
+    </section>
+
+    <section class="panel stage">
+      <div class="stage-header">
+        <div id="statusChip" class="status-chip">Idle</div>
+      </div>
+
+      <div id="playerContainer"></div>
+      <div id="log" class="log"></div>
+    </section>
+  </div>
+
+  <script>
+    const state = {
+      config: null,
+      player: null,
+      gwpLoadedFor: null,
+      startGeneration: 0,
+      activeStartGeneration: null,
+    };
+
+    const elements = {
+      originDisplay: document.getElementById('originDisplay'),
+      statusChip: document.getElementById('statusChip'),
+      log: document.getElementById('log'),
+      playerContainer: document.getElementById('playerContainer'),
+      mediaGatewayEndpoint: document.getElementById('mediaGatewayEndpoint'),
+      serverVersion: document.getElementById('serverVersion'),
+      cameraGuid: document.getElementById('cameraGuid'),
+      startButton: document.getElementById('startButton'),
+      stopButton: document.getElementById('stopButton'),
+      liveButton: document.getElementById('liveButton'),
+      pauseButton: document.getElementById('pauseButton'),
+      resumeButton: document.getElementById('resumeButton'),
+      toggleAudioButton: document.getElementById('toggleAudioButton'),
+    };
+
+    elements.originDisplay.textContent = `Current origin: ${window.location.origin}`;
+
+    function setStatus(text) {
+      elements.statusChip.textContent = text;
+    }
+
+    function logLine(message, level = 'info') {
+      const line = document.createElement('div');
+      const stamp = new Date().toLocaleTimeString();
+      if (level !== 'info') {
+        line.classList.add(level);
+      }
+      line.textContent = `[${stamp}] ${message}`;
+      elements.log.prepend(line);
+    }
+
+    async function loadConfig() {
+      const response = await fetch('/api/config');
+      if (!response.ok) {
+        throw new Error(`Failed to load configuration: ${response.status}`);
+      }
+
+      state.config = await response.json();
+      elements.mediaGatewayEndpoint.value = state.config.mediaGatewayEndpoint ?? '';
+      elements.serverVersion.value = state.config.serverVersion ?? 'Use Media Gateway default';
+      logLine('Server configuration loaded');
+    }
+
+    async function ensureGwpLoaded(mediaGatewayEndpoint) {
+      const scriptUrl = `${mediaGatewayEndpoint}/v2/files/gwp.js`;
+
+      if (window.gwp && state.gwpLoadedFor === scriptUrl) {
+        return;
+      }
+
+      if (window.gwp && state.gwpLoadedFor !== scriptUrl) {
+        throw new Error('GWP was already loaded from a different Media Gateway. Refresh the page before switching servers.');
+      }
+
+      await new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = scriptUrl;
+        script.onload = resolve;
+        script.onerror = () => reject(new Error(`Failed to load ${scriptUrl}. Check certificate trust and endpoint correctness.`));
+        document.head.appendChild(script);
+      });
+
+      state.gwpLoadedFor = scriptUrl;
+      logLine(`Loaded gwp.js from ${scriptUrl}`);
+    }
+
+    function disposePlayer() {
+      if (!state.player) {
+        return;
+      }
+
+      try {
+        state.player.stop();
+      } catch {
+      }
+
+      try {
+        state.player.dispose();
+      } catch {
+      }
+
+      state.player = null;
+      setStatus('Stopped');
+      logLine('Player disposed');
+    }
+
+    function cancelPendingStart() {
+      if (state.activeStartGeneration === null) {
+        return false;
+      }
+
+      state.startGeneration++;
+      return true;
+    }
+
+    function buildTokenRetriever() {
+      return async (cameraId) => {
+        const response = await fetch(`/api/token/${encodeURIComponent(cameraId)}`);
+        if (!response.ok) {
+          throw new Error(`Token request failed: ${response.status}`);
+        }
+        return await response.text();
+      };
+    }
+
+    function wireEvents(player) {
+      player.onErrorStateRaised.register((error) => {
+        setStatus(`Error ${error.errorCode}`);
+        logLine(`Error ${error.errorCode}: ${error.value}`, 'error');
+      });
+
+      player.onPlayerStateChanged.register((event) => {
+        logLine(`Player state changed: ${event.playerState} ${event.value ?? ''}`.trim());
+      });
+
+      player.onStreamStatusChanged.register((event) => {
+        setStatus(event.state);
+        logLine(`Stream status: ${event.state} ${event.value ?? ''}`.trim());
+      });
+
+      player.onAudioStateChanged.register((event) => {
+        logLine(`Audio enabled: ${event.isAudioEnabled}`);
+      });
+
+      player.onAudioAvailabilityChanged.register((event) => {
+        logLine(`Audio available: ${event.isAudioAvailable}`);
+      });
+
+      player.onFrameRendered.register((frameTime) => {
+        setStatus(`Rendering ${frameTime.toISOString()}`);
+      });
+    }
+
+    async function startPlayer() {
+      if (state.activeStartGeneration !== null) {
+        logLine('A player startup is already in progress.', 'warn');
+        return;
+      }
+
+      const generation = ++state.startGeneration;
+      state.activeStartGeneration = generation;
+
+      function cancelled() {
+        return state.startGeneration !== generation;
+      }
+
+      let pendingPlayer = null;
+      try {
+        const mediaGatewayEndpoint = (state.config?.mediaGatewayEndpoint ?? '').trim().replace(/\/+$/, '');
+        const cameraGuid = elements.cameraGuid.value.trim();
+        const serverVersion = (state.config?.serverVersion ?? '').trim();
+
+        if (!mediaGatewayEndpoint) {
+          throw new Error('The Media Gateway endpoint is not configured.');
+        }
+
+        if (!cameraGuid) {
+          throw new Error('Camera GUID is required.');
+        }
+
+        await ensureGwpLoaded(mediaGatewayEndpoint);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during script load');
+          return;
+        }
+
+        disposePlayer();
+
+        const tokenRetriever = buildTokenRetriever();
+        pendingPlayer = window.gwp.buildPlayer(elements.playerContainer);
+        wireEvents(pendingPlayer);
+
+        logLine(`Starting player for ${cameraGuid}`);
+        await pendingPlayer.start(cameraGuid, mediaGatewayEndpoint, tokenRetriever, serverVersion || undefined);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during session establishment');
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+          pendingPlayer = null;
+          return;
+        }
+
+        pendingPlayer.playLive();
+        state.player = pendingPlayer;
+        pendingPlayer = null;
+        setStatus('Live');
+        logLine(`GWP version ${window.gwp.version()}`);
+        logLine('Live playback started');
+      } finally {
+        if (pendingPlayer) {
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+        }
+        if (state.activeStartGeneration === generation) {
+          state.activeStartGeneration = null;
+        }
+      }
+    }
+
+    elements.startButton.addEventListener('click', async () => {
+      try {
+        await startPlayer();
+      } catch (error) {
+        setStatus('Start failed');
+        logLine(error instanceof Error ? error.message : String(error), 'error');
+      }
+    });
+
+    elements.stopButton.addEventListener('click', () => {
+      if (cancelPendingStart()) {
+        setStatus('Cancelling');
+        logLine('Stop requested during startup');
+      }
+
+      disposePlayer();
+    });
+
+    elements.liveButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.playLive();
+      setStatus('Live');
+      logLine('Switched to live');
+    });
+
+    elements.pauseButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.pause();
+      setStatus('Paused');
+      logLine('Playback paused');
+    });
+
+    elements.resumeButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.resume();
+      setStatus('Resumed');
+      logLine('Playback resumed');
+    });
+
+    elements.toggleAudioButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      const nextValue = !state.player.isAudioEnabled;
+      state.player.setAudioEnabled(nextValue);
+      logLine(`Requested audio state ${nextValue}. Browser autoplay policy still applies.`, 'warn');
+    });
+
+    window.addEventListener('beforeunload', () => disposePlayer());
+
+    loadConfig().catch((error) => {
+      logLine(error instanceof Error ? error.message : String(error), 'error');
+    });
+
+    logLine('Page ready');
+  </script>
+</body>
+</html>
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj b/Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj
new file mode 100644
index 0000000..ac3a5c7
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/GwpRazorPagesSample.csproj	
@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <AssemblyName>GwpRazorPagesSample</AssemblyName>
+    <RootNamespace>Genetec.Dap.CodeSamples</RootNamespace>
+    <Description>Sample project</Description>
+    <Company>Genetec Inc.</Company>
+    <Copyright>Copyright © Genetec Inc. 2025</Copyright>
+  </PropertyGroup>
+
+</Project>
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml
new file mode 100644
index 0000000..15ed63e
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml	
@@ -0,0 +1,540 @@
+@page
+@using System.Text.Json
+@model Genetec.Dap.CodeSamples.Pages.IndexModel
+@{
+    Layout = null;
+    var nonce = Model.CspNonce;
+}
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>GWP Razor Pages Sample</title>
+  <style nonce="@nonce">
+    :root {
+      --bg: #edf3f8;
+      --surface: rgba(255, 255, 255, 0.92);
+      --surface-strong: #ffffff;
+      --ink: #102033;
+      --muted: #54667a;
+      --line: #d6e0ea;
+      --accent: #0f766e;
+      --accent-strong: #115e59;
+      --warning: #92400e;
+      --danger: #b91c1c;
+      --shadow: 0 24px 60px rgba(16, 32, 51, 0.12);
+    }
+
+    * {
+      box-sizing: border-box;
+    }
+
+    body {
+      margin: 0;
+      font-family: "Segoe UI", "Aptos", sans-serif;
+      color: var(--ink);
+      background:
+        radial-gradient(circle at top left, rgba(15, 118, 110, 0.12), transparent 28%),
+        radial-gradient(circle at right, rgba(22, 101, 52, 0.10), transparent 22%),
+        linear-gradient(180deg, #f8fbfd 0%, var(--bg) 100%);
+      min-height: 100vh;
+    }
+
+    html,
+    body {
+      height: 100%;
+    }
+
+    .shell {
+      display: grid;
+      grid-template-columns: 360px minmax(0, 1fr);
+      gap: 18px;
+      padding: 18px;
+      min-height: 100vh;
+      height: 100vh;
+    }
+
+    .panel {
+      background: var(--surface);
+      backdrop-filter: blur(10px);
+      border: 1px solid var(--line);
+      border-radius: 22px;
+      box-shadow: var(--shadow);
+      min-height: 0;
+    }
+
+    .controls {
+      padding: 22px;
+      display: flex;
+      flex-direction: column;
+      gap: 18px;
+      min-height: 0;
+      overflow: auto;
+    }
+
+    .lede {
+      margin: 8px 0 0;
+      color: var(--muted);
+      line-height: 1.45;
+    }
+
+    .origin {
+      margin-top: 8px;
+      padding: 10px 12px;
+      border-radius: 12px;
+      background: #ecfdf5;
+      border: 1px solid #a7f3d0;
+      color: #065f46;
+      font-size: 0.95rem;
+    }
+
+    .field-grid {
+      display: grid;
+      gap: 12px;
+    }
+
+    label {
+      display: grid;
+      gap: 6px;
+      font-size: 0.92rem;
+      color: var(--muted);
+    }
+
+    input {
+      width: 100%;
+      padding: 11px 12px;
+      border-radius: 12px;
+      border: 1px solid var(--line);
+      background: var(--surface-strong);
+      color: var(--ink);
+      font: inherit;
+    }
+
+    .actions {
+      display: flex;
+      flex-wrap: wrap;
+      gap: 10px;
+    }
+
+    button {
+      appearance: none;
+      border: none;
+      border-radius: 999px;
+      padding: 10px 16px;
+      font: inherit;
+      cursor: pointer;
+      transition: transform 120ms ease, opacity 120ms ease, background-color 120ms ease;
+    }
+
+    button:hover {
+      transform: translateY(-1px);
+    }
+
+    button.primary {
+      background: var(--accent);
+      color: white;
+    }
+
+    button.primary:hover {
+      background: var(--accent-strong);
+    }
+
+    button.secondary {
+      background: #dce8f2;
+      color: var(--ink);
+    }
+
+    .stage {
+      display: flex;
+      flex-direction: column;
+      min-height: 0;
+      overflow: hidden;
+    }
+
+    .stage-header {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      padding: 18px 22px 0;
+    }
+
+    .status-chip {
+      padding: 8px 12px;
+      border-radius: 999px;
+      background: #e0f2fe;
+      color: #075985;
+      font-size: 0.9rem;
+    }
+
+    #playerContainer {
+      margin: 18px 22px 14px;
+      width: auto;
+      aspect-ratio: 16 / 9;
+      min-height: 320px;
+      max-height: min(56vh, 560px);
+      flex: 0 0 auto;
+      border-radius: 20px;
+      overflow: hidden;
+      position: relative;
+      background:
+        linear-gradient(135deg, #07111f 0%, #11263f 100%);
+      border: 1px solid #17324f;
+    }
+
+    #playerContainer::before {
+      content: "GWP video surface";
+      position: absolute;
+      inset: 16px auto auto 16px;
+      padding: 6px 10px;
+      border-radius: 999px;
+      background: rgba(12, 23, 42, 0.65);
+      color: rgba(255, 255, 255, 0.72);
+      font-size: 0.82rem;
+      letter-spacing: 0.03em;
+      z-index: 0;
+    }
+
+    .log {
+      margin: 0 22px 22px;
+      padding: 14px;
+      border-radius: 16px;
+      background: #08111f;
+      color: #d8e6f5;
+      min-height: 180px;
+      overflow: auto;
+      flex: 1 1 auto;
+      height: 100%;
+      font: 0.88rem/1.45 Consolas, "Cascadia Code", monospace;
+      white-space: pre-wrap;
+    }
+
+    .log .error {
+      color: #fca5a5;
+    }
+
+    .log .warn {
+      color: #fdba74;
+    }
+
+    @@media (max-width: 1100px) {
+      .shell {
+        grid-template-columns: 1fr;
+        height: auto;
+      }
+
+      #playerContainer {
+        min-height: 240px;
+        max-height: min(42vh, 420px);
+      }
+    }
+  </style>
+</head>
+<body>
+  <div class="shell">
+    <section class="panel controls">
+      <div>
+        <p class="lede">This page runs with the origin shown below. Add that origin to the Media Gateway allowed origins list when strict CORS is enabled.</p>
+        <div class="origin" id="originDisplay"></div>
+      </div>
+
+      <div class="field-grid">
+        <label>
+          Media Gateway endpoint
+          <input id="mediaGatewayEndpoint" type="text" value="@Model.MediaGatewayEndpoint" readonly>
+        </label>
+        <label>
+          Server version
+          <input id="serverVersion" type="text" value="@(Model.ServerVersion ?? "Use Media Gateway default")" readonly>
+        </label>
+        <label>
+          Camera GUID
+          <input id="cameraGuid" type="text" placeholder="00000000-0000-0000-0000-000000000000" spellcheck="false">
+        </label>
+      </div>
+
+      <div class="actions">
+        <button id="startButton" class="primary">Start Player</button>
+        <button id="stopButton" class="secondary">Stop</button>
+        <button id="liveButton" class="secondary">Live</button>
+        <button id="pauseButton" class="secondary">Pause</button>
+        <button id="resumeButton" class="secondary">Resume</button>
+        <button id="toggleAudioButton" class="secondary">Toggle Audio</button>
+      </div>
+
+    </section>
+
+    <section class="panel stage">
+      <div class="stage-header">
+        <div id="statusChip" class="status-chip">Idle</div>
+      </div>
+
+      <div id="playerContainer"></div>
+      <div id="log" class="log"></div>
+    </section>
+  </div>
+
+  <script nonce="@nonce">
+    const hostConfig = Object.freeze(@Html.Raw(JsonSerializer.Serialize(new {
+      mediaGatewayEndpoint = Model.MediaGatewayEndpoint,
+      serverVersion = Model.ServerVersion ?? "",
+    })));
+
+    const state = {
+      player: null,
+      gwpLoadedFor: null,
+      startGeneration: 0,
+      activeStartGeneration: null,
+    };
+
+    const elements = {
+      originDisplay: document.getElementById('originDisplay'),
+      statusChip: document.getElementById('statusChip'),
+      log: document.getElementById('log'),
+      playerContainer: document.getElementById('playerContainer'),
+      cameraGuid: document.getElementById('cameraGuid'),
+      startButton: document.getElementById('startButton'),
+      stopButton: document.getElementById('stopButton'),
+      liveButton: document.getElementById('liveButton'),
+      pauseButton: document.getElementById('pauseButton'),
+      resumeButton: document.getElementById('resumeButton'),
+      toggleAudioButton: document.getElementById('toggleAudioButton'),
+    };
+
+    elements.originDisplay.textContent = `Current origin: ${window.location.origin}`;
+
+    function setStatus(text) {
+      elements.statusChip.textContent = text;
+    }
+
+    function logLine(message, level = 'info') {
+      const line = document.createElement('div');
+      const stamp = new Date().toLocaleTimeString();
+      if (level !== 'info') {
+        line.classList.add(level);
+      }
+      line.textContent = `[${stamp}] ${message}`;
+      elements.log.prepend(line);
+    }
+
+    async function ensureGwpLoaded(mediaGatewayEndpoint) {
+      const scriptUrl = `${mediaGatewayEndpoint}/v2/files/gwp.js`;
+
+      if (window.gwp && state.gwpLoadedFor === scriptUrl) {
+        return;
+      }
+
+      if (window.gwp && state.gwpLoadedFor !== scriptUrl) {
+        throw new Error('GWP was already loaded from a different Media Gateway. Refresh the page before switching servers.');
+      }
+
+      await new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = scriptUrl;
+        script.onload = resolve;
+        script.onerror = () => reject(new Error(`Failed to load ${scriptUrl}. Check certificate trust and endpoint correctness.`));
+        document.head.appendChild(script);
+      });
+
+      state.gwpLoadedFor = scriptUrl;
+      logLine(`Loaded gwp.js from ${scriptUrl}`);
+    }
+
+    function disposePlayer() {
+      if (!state.player) {
+        return;
+      }
+
+      try {
+        state.player.stop();
+      } catch {
+      }
+
+      try {
+        state.player.dispose();
+      } catch {
+      }
+
+      state.player = null;
+      setStatus('Stopped');
+      logLine('Player disposed');
+    }
+
+    function cancelPendingStart() {
+      if (state.activeStartGeneration === null) {
+        return false;
+      }
+
+      state.startGeneration++;
+      return true;
+    }
+
+    function buildTokenRetriever() {
+      return async (cameraId) => {
+        const response = await fetch(`/api/token/${encodeURIComponent(cameraId)}`);
+        if (!response.ok) {
+          throw new Error(`Token request failed: ${response.status}`);
+        }
+        return await response.text();
+      };
+    }
+
+    function wireEvents(player) {
+      player.onErrorStateRaised.register((error) => {
+        setStatus(`Error ${error.errorCode}`);
+        logLine(`Error ${error.errorCode}: ${error.value}`, 'error');
+      });
+
+      player.onPlayerStateChanged.register((event) => {
+        logLine(`Player state changed: ${event.playerState} ${event.value ?? ''}`.trim());
+      });
+
+      player.onStreamStatusChanged.register((event) => {
+        setStatus(event.state);
+        logLine(`Stream status: ${event.state} ${event.value ?? ''}`.trim());
+      });
+
+      player.onAudioStateChanged.register((event) => {
+        logLine(`Audio enabled: ${event.isAudioEnabled}`);
+      });
+
+      player.onAudioAvailabilityChanged.register((event) => {
+        logLine(`Audio available: ${event.isAudioAvailable}`);
+      });
+
+      player.onFrameRendered.register((frameTime) => {
+        setStatus(`Rendering ${frameTime.toISOString()}`);
+      });
+    }
+
+    async function startPlayer() {
+      if (state.activeStartGeneration !== null) {
+        logLine('A player startup is already in progress.', 'warn');
+        return;
+      }
+
+      const generation = ++state.startGeneration;
+      state.activeStartGeneration = generation;
+
+      function cancelled() {
+        return state.startGeneration !== generation;
+      }
+
+      let pendingPlayer = null;
+      try {
+        const mediaGatewayEndpoint = (hostConfig.mediaGatewayEndpoint ?? '').trim().replace(/\/+$/, '');
+        const cameraGuid = elements.cameraGuid.value.trim();
+        const serverVersion = (hostConfig.serverVersion ?? '').trim();
+
+        if (!mediaGatewayEndpoint) {
+          throw new Error('The Media Gateway endpoint is not configured.');
+        }
+
+        if (!cameraGuid) {
+          throw new Error('Camera GUID is required.');
+        }
+
+        await ensureGwpLoaded(mediaGatewayEndpoint);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during script load');
+          return;
+        }
+
+        disposePlayer();
+
+        const tokenRetriever = buildTokenRetriever();
+        pendingPlayer = window.gwp.buildPlayer(elements.playerContainer);
+        wireEvents(pendingPlayer);
+
+        logLine(`Starting player for ${cameraGuid}`);
+        await pendingPlayer.start(cameraGuid, mediaGatewayEndpoint, tokenRetriever, serverVersion || undefined);
+        if (cancelled()) {
+          setStatus('Stopped');
+          logLine('Start cancelled during session establishment');
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+          pendingPlayer = null;
+          return;
+        }
+
+        pendingPlayer.playLive();
+        state.player = pendingPlayer;
+        pendingPlayer = null;
+        setStatus('Live');
+        logLine(`GWP version ${window.gwp.version()}`);
+        logLine('Live playback started');
+      } finally {
+        if (pendingPlayer) {
+          try { pendingPlayer.stop(); } catch {}
+          try { pendingPlayer.dispose(); } catch {}
+        }
+        if (state.activeStartGeneration === generation) {
+          state.activeStartGeneration = null;
+        }
+      }
+    }
+
+    elements.startButton.addEventListener('click', async () => {
+      try {
+        await startPlayer();
+      } catch (error) {
+        setStatus('Start failed');
+        logLine(error instanceof Error ? error.message : String(error), 'error');
+      }
+    });
+
+    elements.stopButton.addEventListener('click', () => {
+      if (cancelPendingStart()) {
+        setStatus('Cancelling');
+        logLine('Stop requested during startup');
+      }
+
+      disposePlayer();
+    });
+
+    elements.liveButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.playLive();
+      setStatus('Live');
+      logLine('Switched to live');
+    });
+
+    elements.pauseButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.pause();
+      setStatus('Paused');
+      logLine('Playback paused');
+    });
+
+    elements.resumeButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      state.player.resume();
+      setStatus('Resumed');
+      logLine('Playback resumed');
+    });
+
+    elements.toggleAudioButton.addEventListener('click', () => {
+      if (!state.player) {
+        return;
+      }
+
+      const nextValue = !state.player.isAudioEnabled;
+      state.player.setAudioEnabled(nextValue);
+      logLine(`Requested audio state ${nextValue}. Browser autoplay policy still applies.`, 'warn');
+    });
+
+    window.addEventListener('beforeunload', () => disposePlayer());
+    logLine('Page ready');
+  </script>
+</body>
+</html>
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs
new file mode 100644
index 0000000..0d9d9a5
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Pages/Index.cshtml.cs	
@@ -0,0 +1,29 @@
+// Copyright 2025 Genetec Inc.
+// Licensed under the Apache License, Version 2.0
+
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace Genetec.Dap.CodeSamples.Pages;
+
+public class IndexModel : PageModel
+{
+    public string MediaGatewayEndpoint { get; private set; } = string.Empty;
+
+    public string? ServerVersion { get; private set; }
+
+    public string CspNonce { get; private set; } = string.Empty;
+
+    private readonly MediaGatewayOptions m_options;
+
+    public IndexModel(MediaGatewayOptions options)
+    {
+        m_options = options;
+    }
+
+    public void OnGet()
+    {
+        MediaGatewayEndpoint = m_options.Endpoint;
+        ServerVersion = m_options.ServerVersion;
+        CspNonce = HttpContext.Items["CspNonce"] as string ?? string.Empty;
+    }
+}
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs b/Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs
new file mode 100644
index 0000000..3405cb6
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Program.cs	
@@ -0,0 +1,86 @@
+// Copyright 2025 Genetec Inc.
+// Licensed under the Apache License, Version 2.0
+
+using System.Net.Http.Headers;
+using System.Security.Cryptography;
+using System.Text;
+
+var builder = WebApplication.CreateBuilder(args);
+
+var mediaGateway = builder.Configuration.GetSection("MediaGateway");
+var endpoint = mediaGateway["Endpoint"]?.TrimEnd('/') ?? throw new InvalidOperationException("MediaGateway:Endpoint is required.");
+var username = mediaGateway["Username"] ?? throw new InvalidOperationException("MediaGateway:Username is required.");
+var password = mediaGateway["Password"] ?? string.Empty;
+var sdkCertificate = mediaGateway["SdkCertificate"] ?? throw new InvalidOperationException("MediaGateway:SdkCertificate is required.");
+var serverVersion = mediaGateway["ServerVersion"];
+
+var authorizationParameter = Convert.ToBase64String(Encoding.UTF8.GetBytes($"{username};{sdkCertificate}:{password}"));
+
+builder.Services.AddRazorPages();
+
+builder.Services.AddHttpClient("MediaGateway", client =>
+{
+    client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Basic", authorizationParameter);
+}).ConfigurePrimaryHttpMessageHandler(() =>
+{
+    var handler = new HttpClientHandler();
+    if (builder.Environment.IsDevelopment())
+    {
+        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
+    }
+    return handler;
+});
+
+builder.Services.AddSingleton(new MediaGatewayOptions
+{
+    Endpoint = endpoint,
+    ServerVersion = string.IsNullOrWhiteSpace(serverVersion) ? null : serverVersion.Trim(),
+});
+
+var app = builder.Build();
+
+app.Use(async (context, next) =>
+{
+    var nonce = Convert.ToBase64String(RandomNumberGenerator.GetBytes(16));
+    context.Items["CspNonce"] = nonce;
+
+    context.Response.Headers["Content-Security-Policy"] = string.Join("; ",
+        "default-src 'self' https:",
+        $"script-src 'self' https: 'nonce-{nonce}'",
+        $"style-src 'self' 'nonce-{nonce}'",
+        "connect-src 'self' https: wss:",
+        "media-src https: blob:");
+
+    await next();
+});
+
+app.UseStaticFiles();
+app.UseRouting();
+app.MapRazorPages();
+
+app.MapGet("/api/token/{cameraId}", async (string cameraId, IHttpClientFactory httpClientFactory) =>
+{
+    if (string.IsNullOrWhiteSpace(cameraId))
+    {
+        return Results.BadRequest("A camera GUID is required.");
+    }
+
+    var client = httpClientFactory.CreateClient("MediaGateway");
+    var response = await client.GetAsync($"{endpoint}/v2/token/{Uri.EscapeDataString(cameraId.Trim())}");
+
+    if (!response.IsSuccessStatusCode)
+    {
+        return Results.StatusCode((int)response.StatusCode);
+    }
+
+    var token = await response.Content.ReadAsStringAsync();
+    return Results.Text(token);
+});
+
+app.Run();
+
+public class MediaGatewayOptions
+{
+    public required string Endpoint { get; init; }
+    public string? ServerVersion { get; init; }
+}
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json b/Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json
new file mode 100644
index 0000000..c65cb95
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/Properties/launchSettings.json	
@@ -0,0 +1,12 @@
+{
+  "profiles": {
+    "GwpRazorPagesSample": {
+      "commandName": "Project",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      },
+      "applicationUrl": "https://localhost:65426;http://localhost:65427"
+    }
+  }
+}
\ No newline at end of file
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md
new file mode 100644
index 0000000..3557c50
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
@@ -0,0 +1,95 @@
+# GWP Razor Pages Sample
+
+This sample demonstrates hosting the Genetec Web Player inside an ASP.NET Core Razor Pages application with production-ready CSP nonce support:
+
+- ASP.NET Core serves a Razor Page that loads and runs GWP.
+- The page is server-rendered, so the Media Gateway endpoint and server version are injected directly into the markup. No client-side configuration fetch is needed.
+- A per-request cryptographic CSP nonce is generated in middleware, added to the `Content-Security-Policy` response header, and passed to each `<script>` and `<style>` tag via the Razor page model. This eliminates the need for `'unsafe-inline'`.
+- A server-side `/api/token/{cameraId}` endpoint proxies token requests to the Media Gateway using credentials from `appsettings.json`. Media Gateway credentials never reach the browser.
+- The page loads `gwp.js` directly from the target Media Gateway and uses the browser environment GWP expects.
+
+## Why this shape
+
+GWP is a browser-oriented JavaScript library. It depends on DOM containers, HTML video and audio elements, canvas, WebSockets, and Media Source Extensions. ASP.NET Core serves the page and handles authentication server-side, while the browser provides the media runtime GWP requires.
+
+Compared to the Minimal API sample, this sample adds:
+
+- **CSP nonces** instead of `'unsafe-inline'`, demonstrating how to tighten the Content Security Policy for production use.
+- **Server-rendered configuration** injected directly into the Razor markup, removing the need for a separate `/api/config` endpoint.
+
+## Run
+
+```powershell
+dotnet run
+```
+
+Then open the URL shown in the console output (for example, `https://localhost:5001`).
+
+### Configuration
+
+Media Gateway settings are configured in `appsettings.json`:
+
+```json
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}
+```
+
+You can also use environment variables or user secrets:
+
+```powershell
+dotnet user-secrets set "MediaGateway:Password" "your-password"
+```
+
+## Required environment setup
+
+### 1. Trust the Media Gateway certificate
+
+If the Media Gateway certificate is self-signed or otherwise untrusted, the browser will fail to load `gwp.js` or connect to the gateway.
+
+For development, the sample automatically allows certificate warnings when connecting to the Media Gateway from the server-side token endpoint. The browser must still trust the certificate for the `gwp.js` script load and WebSocket connections. Add the certificate to the browser's trust store or use a trusted certificate.
+
+### 2. Allow the page origin in Media Gateway CORS
+
+If strict CORS is enabled, add the ASP.NET application origin to `MediaGateway.gconfig`:
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<Configuration>
+    <MediaGateway EnforceStrictCrossOrigin="true">
+        <AllowedOrigin Origin="https://localhost:5001" />
+    </MediaGateway>
+</Configuration>
+```
+
+Restart the Media Gateway role after the change.
+
+### 3. Use a matching GWP build
+
+The sample loads `gwp.js` from `${mediaGatewayEndpoint}/v2/files/gwp.js` so the player version matches the Security Center version.
+
+## CSP nonce implementation
+
+The Content Security Policy is enforced via HTTP response header, not a meta tag. Each request receives a fresh cryptographic nonce:
+
+1. **Middleware** in `Program.cs` generates a random nonce using `RandomNumberGenerator`, stores it in `HttpContext.Items`, and writes the `Content-Security-Policy` header.
+2. **Page model** (`Index.cshtml.cs`) reads the nonce from `HttpContext.Items` and exposes it as a property.
+3. **Razor markup** (`Index.cshtml`) applies the nonce to each `<script nonce="@nonce">` and `<style nonce="@nonce">` tag.
+
+Because the nonce is unique per request and cryptographically random, inline scripts and styles are allowed only when they carry the correct nonce. An attacker who injects markup cannot predict the nonce value.
+
+## Scope and limitations
+
+- This sample demonstrates a feasible hosting pattern. It is not a production-ready security design.
+- The `/api/token/{cameraId}` endpoint has no authentication. Any client that can reach the server can request camera tokens. A real application must add its own user authentication layer in front of this endpoint.
+- Media Gateway credentials are stored in `appsettings.json`. For production, use a secure configuration provider such as user secrets, Azure Key Vault, or environment variables.
+- The default SDK certificate is the Genetec development certificate intended for SDK development only.
+- Player startup is cancellable. Clicking Stop during script load or session establishment cancels the in-flight start and cleans up any partially created player.
+- Browser autoplay rules apply to audio.
+- Video rendering and overlays remain in the HTML layer, not the ASP.NET server.
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json b/Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json
new file mode 100644
index 0000000..a5e1b2a
--- /dev/null
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/appsettings.json	
@@ -0,0 +1,9 @@
+{
+  "MediaGateway": {
+    "Endpoint": "https://localhost/media",
+    "Username": "admin",
+    "Password": "",
+    "SdkCertificate": "KxsD11z743Hf5Gq9mv3+5ekxzemlCiUXkTFY5ba1NOGcLCmGstt2n0zYE9NsNimv",
+    "ServerVersion": ""
+  }
+}

From 6bc2fe33f10c87d7b07d9e417f7eeff09b2bff2c Mon Sep 17 00:00:00 2001
From: Andre Lafleur <alafleur@genetec.com>
Date: Thu, 2 Apr 2026 16:53:53 +0800
Subject: [PATCH 2/6] docs: clarify authentication scope in web sample READMEs

The limitation is that the application itself has no user
authentication, not just the token endpoint.
---
 Samples/Genetec Web Player/GwpMinimalApiSample/README.md | 2 +-
 Samples/Genetec Web Player/GwpRazorPagesSample/README.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md
index 867a9e1..815ea67 100644
--- a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
@@ -73,7 +73,7 @@ The sample loads `gwp.js` from `${mediaGatewayEndpoint}/v2/files/gwp.js` so the
 ## Scope and limitations
 
 - This sample demonstrates a feasible hosting pattern. It is not a production-ready security design.
-- The `/api/token/{cameraId}` endpoint has no authentication. Any client that can reach the server can request camera tokens. A real application must add its own user authentication layer in front of this endpoint.
+- This sample has no user authentication. Anyone who can reach the application can view camera streams. A real application must add its own authentication layer to control who can access the application.
 - Media Gateway credentials are stored in `appsettings.json`. For production, use a secure configuration provider such as user secrets, Azure Key Vault, or environment variables.
 - The default SDK certificate is the Genetec development certificate intended for SDK development only.
 - A Content Security Policy meta tag restricts script sources, connections, and media to `self`, `https:`, `wss:`, and `blob:`. The policy allows `'unsafe-inline'` for scripts and styles because the page uses inline markup. The Razor Pages sample demonstrates how to use CSP nonces instead.
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md
index 3557c50..3a21875 100644
--- a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
@@ -87,7 +87,7 @@ Because the nonce is unique per request and cryptographically random, inline scr
 ## Scope and limitations
 
 - This sample demonstrates a feasible hosting pattern. It is not a production-ready security design.
-- The `/api/token/{cameraId}` endpoint has no authentication. Any client that can reach the server can request camera tokens. A real application must add its own user authentication layer in front of this endpoint.
+- This sample has no user authentication. Anyone who can reach the application can view camera streams. A real application must add its own authentication layer to control who can access the application.
 - Media Gateway credentials are stored in `appsettings.json`. For production, use a secure configuration provider such as user secrets, Azure Key Vault, or environment variables.
 - The default SDK certificate is the Genetec development certificate intended for SDK development only.
 - Player startup is cancellable. Clicking Stop during script load or session establishment cancels the in-flight start and cleans up any partially created player.

From ac4c5f6a0e2e4e3f7cd3a84082c492df0124aaaf Mon Sep 17 00:00:00 2001
From: Andre Lafleur <alafleur@genetec.com>
Date: Thu, 2 Apr 2026 16:56:36 +0800
Subject: [PATCH 3/6] docs: remove filler 'Why this shape' section from web
 sample READMEs

---
 Samples/Genetec Web Player/GwpMinimalApiSample/README.md | 6 ------
 Samples/Genetec Web Player/GwpRazorPagesSample/README.md | 4 ----
 2 files changed, 10 deletions(-)

diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md
index 815ea67..f332cb7 100644
--- a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
@@ -7,12 +7,6 @@ This sample demonstrates hosting the Genetec Web Player inside an ASP.NET Core M
 - A `/api/config` endpoint provides the Media Gateway endpoint and server version to the page without exposing authentication details.
 - The page loads `gwp.js` directly from the target Media Gateway and uses the browser environment GWP expects.
 
-## Why this shape
-
-GWP is a browser-oriented JavaScript library. It depends on DOM containers, HTML video and audio elements, canvas, WebSockets, and Media Source Extensions. ASP.NET Core serves the page and handles authentication server-side, while the browser provides the media runtime GWP requires.
-
-This is the simplest possible web hosting model for GWP: one `Program.cs`, one static HTML file, and one configuration file.
-
 ## Run
 
 ```powershell
diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md
index 3a21875..277efb3 100644
--- a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
@@ -8,10 +8,6 @@ This sample demonstrates hosting the Genetec Web Player inside an ASP.NET Core R
 - A server-side `/api/token/{cameraId}` endpoint proxies token requests to the Media Gateway using credentials from `appsettings.json`. Media Gateway credentials never reach the browser.
 - The page loads `gwp.js` directly from the target Media Gateway and uses the browser environment GWP expects.
 
-## Why this shape
-
-GWP is a browser-oriented JavaScript library. It depends on DOM containers, HTML video and audio elements, canvas, WebSockets, and Media Source Extensions. ASP.NET Core serves the page and handles authentication server-side, while the browser provides the media runtime GWP requires.
-
 Compared to the Minimal API sample, this sample adds:
 
 - **CSP nonces** instead of `'unsafe-inline'`, demonstrating how to tighten the Content Security Policy for production use.

From f174024f2879212e3b7b0969854c125b6fbf3c08 Mon Sep 17 00:00:00 2001
From: Andre Lafleur <158597251+alafleur-genetec@users.noreply.github.com>
Date: Thu, 2 Apr 2026 17:02:11 +0800
Subject: [PATCH 4/6] Update Samples/Genetec Web
 Player/GwpRazorPagesSample/README.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 Samples/Genetec Web Player/GwpRazorPagesSample/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md
index 277efb3..3e88493 100644
--- a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
@@ -53,12 +53,13 @@ For development, the sample automatically allows certificate warnings when conne
 
 ### 2. Allow the page origin in Media Gateway CORS
 
-If strict CORS is enabled, add the ASP.NET application origin to `MediaGateway.gconfig`:
+If strict CORS is enabled, add the ASP.NET application origin (the URL shown when you run the app, for example `https://localhost:5001`) to `MediaGateway.gconfig`:
 
 ```xml
 <?xml version="1.0" encoding="UTF-8"?>
 <Configuration>
     <MediaGateway EnforceStrictCrossOrigin="true">
+        <!-- Replace https://localhost:5001 with the actual ASP.NET app origin shown in the console or configured in applicationUrl -->
         <AllowedOrigin Origin="https://localhost:5001" />
     </MediaGateway>
 </Configuration>

From 0f4d7148a1552b3d3b7341efb8a3bd5706ce0fa8 Mon Sep 17 00:00:00 2001
From: Andre Lafleur <158597251+alafleur-genetec@users.noreply.github.com>
Date: Thu, 2 Apr 2026 17:03:05 +0800
Subject: [PATCH 5/6] Update Samples/Genetec Web
 Player/GwpMinimalApiSample/README.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 Samples/Genetec Web Player/GwpMinimalApiSample/README.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md
index f332cb7..7508597 100644
--- a/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
+++ b/Samples/Genetec Web Player/GwpMinimalApiSample/README.md	
@@ -31,9 +31,10 @@ Media Gateway settings are configured in `appsettings.json`:
 }
 ```
 
-You can also use environment variables or user secrets:
+You can also use environment variables or user secrets. If you haven't already initialized user secrets for this project, run:
 
 ```powershell
+dotnet user-secrets init
 dotnet user-secrets set "MediaGateway:Password" "your-password"
 ```
 

From f5edfbe9c30f7d0d7912b7e4ed3f5089f172f75e Mon Sep 17 00:00:00 2001
From: Andre Lafleur <158597251+alafleur-genetec@users.noreply.github.com>
Date: Thu, 2 Apr 2026 17:03:25 +0800
Subject: [PATCH 6/6] Update Samples/Genetec Web
 Player/GwpRazorPagesSample/README.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 Samples/Genetec Web Player/GwpRazorPagesSample/README.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md
index 3e88493..82e68ef 100644
--- a/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
+++ b/Samples/Genetec Web Player/GwpRazorPagesSample/README.md	
@@ -40,6 +40,7 @@ Media Gateway settings are configured in `appsettings.json`:
 You can also use environment variables or user secrets:
 
 ```powershell
+dotnet user-secrets init
 dotnet user-secrets set "MediaGateway:Password" "your-password"
 ```