Access control with signed URLs
Signed delivery keeps CDN files private until your backend grants access. Use it when files should not be reachable by public CDN URL alone.
Prerequisites
To use signed URLs, enable them in your project settings under Delivery → CDN domain names → Enable signed URLs:
- Enable the secure subdomain for your project.
- Generate a signing secret. You can have up to two secrets at a time — the second is for rotation.
- Set up URL signing on your backend using the secret.
- Once your integration is ready, disable the public subdomain to close unsigned access.
Signed URLs also work on custom CNAMEs — contact support to configure a branded domain for signed delivery.
If your project has a legacy ucarecdn.com domain, you must disable it to fully close unsigned access. This action is irreversible — once disabled, the legacy domain cannot be re-enabled.
How it works
When a client requests a file from your secure subdomain or a custom CNAME configured for signed delivery, the CDN validates the token query parameter before serving the file. Your backend generates this token with your signing secret and appends it to the delivery URL before returning or redirecting the client to it.
If the token is missing, expired, or does not match the requested path, the CDN returns 403 Forbidden.
The CDN reads a token query parameter appended to your delivery URL. The token has three fields:
ACL
The acl parameter defines which paths the token grants access to. It supports * as a suffix wildcard.
Digest
The hmac field is a hex-encoded HMAC-SHA256 digest of the token body.
Token body is a string constructed from the expiry timestamp and ACL in this exact order:
To calculate value of the hmac field use the signing secret as the HMAC key to compute an HMAC-SHA256 digest of the token body.
Most integration failures happen when your backend signs a different byte sequence than the CDN validates:
- Hex-decode the signing secret before using it as the HMAC key.
- Sign the ACL exactly as it appears in the token body. Do not URL-encode it before calculating the digest.
Token playground
Token generation libraries
These libraries implement the same HMAC construction and produce compatible signed-delivery tokens:
File Uploader signing proxy
File Uploader loads image previews from CDN URLs. With signed delivery enabled, unsigned preview URLs return 403 Forbidden, and the browser cannot sign them because your signing secret must stay on your backend.
A signing proxy is your application endpoint that receives a File Uploader preview URL, checks whether the requester can access the file, signs the CDN path, and redirects to the signed CDN URL.
Use it with secureDeliveryProxy or secureDeliveryProxyUrlResolver File Uploader configuration options.
Typical flow:
Your endpoint must:
- Validate that preview URL points to one of your Uploadcare CDN hosts.
- Check the requester’s credentials and access to the requested file or CDN path.
- Generate a time-limited token for the URL path.
- Redirect to the signed URL.
The example below shows the signing proxy pattern. Replace authenticateRequest and canViewUploadcareFile with your application’s own checks.
Test environment
Use these credentials to test token generation without production keys:
- Hostname:
sectest.ucarecdn.com - Secret:
73636b61519adede42191efe1e73f02a67c7b692e3765f90c250c230be095211
Do not use these credentials in production. This secret is publicly known.
Billing
Signed URLs are available on all plans, including free.