In this work we report on the first H.264 authentication watermarker that operates directly in the bitstream, needing no video decoding or partial decompression. The main contribution of the work is identification of a watermarkable code space in H.264 protocol. The algorithm creates "exceptions" in H.264 code space that only the decoder understands while keeping the bitstream syntax compliant The code space is defined over the Context Adaptive Variable Length Coded(CAVLC) portion of protocol. What makes this algorithm possible is the discovery that most of H.264 code space is in fact unused. The watermarker securely maps eligible CAVLC to unused portions of the code space. Security is achieved through a shared key between embedder and decoder. The watermarked stream retains its file size, remains visually transparent, is secure against forging and detection. Since the watermark is placed post compression it remains fragile to re encoding and other tampering attempts.