Introduction
The URL Signing option of CDN Static, CDN Static Push, and CDN HTTP Live services allows you to protect your CDN content from unwanted downloads.
Token authentication
URL Signing is a token authentication. Only requests with a valid token (also referred as signature, secure or hash) are allowed to access your content. Moreover the token can contain more information such as expiration time and allowed/denied IP addresses.
An example of CDN URL with token
https://cdn.mycompany.com/photo.jpeg?secure=DMF1ucDxtHCxwYQ&expires=2524647600
As you can see in the above example the token is added to the URL as a value of a query string parameter ?secure=.
Token expiration time use case
Tokens can include an expiration timestamp to secure sensitive content. This is particularly useful when providing a CDN URL to a customer that should not be shared publicly, for example, when a user has purchased access to premium content.
By generating a CDN URL with a short-lived token (valid for only a few minutes), you ensure that:
- The customer can initiate the download immediately.
- The link becomes invalid shortly thereafter, preventing unauthorized redistribution or public access if the URL is shared.
Note: The token is validated only at the initiation of the connection; an active download will not be interrupted if the token expires while the data transfer is already in progress.
How to enable URL Signing
URL Signing can be enabled during a CDN service creation (in advanced settings) or on the Services/Settings page.
Select Enabled from the URL Signing select box and fill in (any) URL Signing Key.
URL Signing and HLS streaming
Let's assume that you want to protect your CDN HLS stream https://cdn.mycompany.com/mystream/playlist.m3u8.
Please remind that the token generator requires path parameter and thus you can not use "normal" URL Signing because viewer's device will request URLs containing dynamic paths such as the following.
https://cdn.mycompany.com/mystream/segment1.ts https://cdn.mycompany.com/mystream/segment2.ts https://cdn.mycompany.com/mystream/segment3.ts
To solve this problem we provide the following URL Signing feature tailored for protecting HLS streams.
Example
Let's assume that you want to protect your CDN HLS stream https://cdn.mycompany.com/streams/live/playlist.m3u8.
All you need to do is to generate a token for the path /streams/live and then instead of using the token as a query string parameter (as with "normal" URL Signing) use it as a part of the CDN HLS URL path, e.g.
https://cdn.mycompany.com/secure=DMF1ucDAx1&expires=2524647600&ip=1.2.3.4/streams/live/playlist.m3u8
How to generate token
To generate a token you can make use of our token generators below. Please note that anyone is welcome to contribute on our GitHub.
Python
Download our Python URL Signing function from the GitHub and follow instructions from the README.md file.
PHP
Download our PHP URL Signing function from the GitHub and follow instructions from the README.md file.
Node.js
Download our Node.js URL Signing function from the GitHub and follow instructions from the README.md file.
Go (Golang)
Download our Go (Golang) URL Signing function from the GitHub and follow instructions from the README.md file.
Rust
Download our Rust URL Signing function from the GitHub and follow instructions from the README.md file.
Java
Download our Java URL Signing function from the GitHub and follow instructions from the README.md file.
.NET
Download our .NET URL Signing function from the GitHub and follow instructions from the README.md file.
Ruby
Download our Ruby URL Signing function from the GitHub and follow instructions from the README.md file.
Bash
Download our Bash URL Signing function from the GitHub and follow instructions from the README.md file.