Signed URLs (Delivery)

Signed URLs provide temporary access to files with private or authenticated access types. They contain an expiration timestamp and HMAC-SHA256 signature.

Generating a Signed URL

Request a signed delivery URL through the API:

curl -X POST https://api.tzzl.io/api/v1/files/FILE_ID/signed-url \
  -H "Authorization: Bearer sk_a1b2c3d4..."

Response

The signed URL includes expires and signature parameters:

https://cdn.tzzl.io/a1b2c3/image-01HQ...?expires=1700000000&signature=abc123...

URL Structure

{cdn_url}/{space_handle}/{storage_path}?expires={unix_timestamp}&signature={hmac_hex}

How Validation Works

The CDN validates signed URLs by:

1. Checking that both signature and expires parameters are present
2. Verifying the URL has not expired (expires > current time)
3. Reconstructing the string to sign from the URL path and sorted parameters (excluding the signature itself)
4. Computing the expected HMAC-SHA256 signature
5. Comparing the provided signature to the expected one

If validation fails, the CDN returns a 403 error.

Adding Transformations

You can combine signed URLs with transformation parameters. The transformation parameters are included in the signature calculation:

https://cdn.tzzl.io/a1b2c3/image-01HQ...?w=400&f=webp&expires=1700000000&signature=abc123...

Access Types

Expiration

The default expiration is 1 hour (3600 seconds). After expiration, the URL returns a 403 error and a new signed URL must be generated.

Security

• Signed URLs use HMAC-SHA256 with a server-side secret
• The signature covers the full URL path and all query parameters
• Expired URLs are always rejected, even if the signature is valid
• Tampering with any parameter invalidates the signature