On this page

Signed URLs


A Signed URL is a URL that is generated to provide secure, time-limited access to a cloud storage object. These special URLs are useful for safely providing access to files while controlling who can see or edit them. Some key benefits for using Signed URLs often include:

  • Enhanced Control : You can set who can read and write the file, for each Signed URL you generate.

  • Time Limits: You can make access temporary, reducing the chance of unauthorized sharing in the future.

  • Easy to Use: Users don't need a separate account with the cloud service to access the file, making it quicker and simpler for them.

Enable Authenticated Access

In order to enable Signed URLs, you must first update the access policy of the your bucket. The access policy can set to either public or authenticated. By default, buckets are set to public access policy. If the access policy of a bucket is set to authenticated, its content will require a signed token for authentication, which can be passed in the URL. You can do this via the API or through our User Portal.

You can set the access policy using the following method:



  • <yourBucketName>: This should be replaced with the actual name of the bucket which policy you want to change.

In case authenticated policy is set for a bucket all content inside the bucket can be accessed with a signed token passed in the URL.

Request Example
curl -H "Authorization: Bearer $ACCESS_TOKEN" 
 -X PUT https://api-cdn.qencode.com/v1/buckets/$BUCKET_NAME/policy/$POLICY_NAME
Response Example
    "status": "ok"

  1. Navigate to the Buckets page and select the bucket your object is located in.
  2. Select Bucket Settings and click Enable Authenticated CDN access. This step allows you to generate Signed URLs for this bucket.
Enabling authenticated access for a bucket

Create a Signing Key

The signing key is used in the encryption process to generate the signed URL. The key encrypts parameters like the file path and expiration time, to creating a unique, secure and potentially time-limited access link. This process ensures that users with permission can access the content while the link is active.

You can create a signing key using the following API method:


To create a signing key for a Qencode S3 bucket, you should specify the bucket name in the request payload:

Request Example

You can create a signing key and use media storage playback authentication.

curl -X POST 'https://api-cdn.qencode.com/v1/signing-keys'  
-H 'Authorization: Bearer $ACCESS_TOKEN'  
-H 'Content-Type: application/json'  
--data-raw '{"stream_id": "1f1ab6a3-d867-4787-b882-7f2fb1203634"}'
Response Example
  "signing_key": {
      "stream_id": "1f1ab6a3-d867-4787-b882-7f2fb1203634",
      "private_key": "-----BEGIN RSA PRIVATE KEY-----
      "created": "2023-06-12 15:00:40",
      "id": "ec25a6a6-b31e-4ac9-af01-711460421c6b",
      "name": null
Immediately secure the returned private key. This private key will not be present in the other API calls getting signing key data.

You can get list your existing signing keys using the GET /v1/signing-keys API method. You also can rename an existing signing key using the PUT /v1/signing-keys/<signing_key_id> API method.

  1. Navigate to the Signing Keys page in the Content Delivery section.
  2. Click on Create signing key and select Media Storage Bucket from the drop down.
  3. Select your bucket, and click Create signing key to confirm your selection.
Signing Key Creation
Secure your private key immediately upon receipt. This key is crucial for accessing your content and will not be shown again. For your security, our system does not store or archive this key.

Generate signed tokens

The signed tokens in Qencode are JSON Web Tokens (JWT) that are used for authenticating requests to Qencode Content Delivery service. These tokens allow you to grant access to a specific Qencode bucket.

A signed token must be appended to your resource URL for authentication to work. This is done by adding the token as an 'auth' query string parameter. For example, a URL to access a video in your Qencode media storage bucket would look like this:

$BUCKETYour media storage bucket name.
$REGIONYour Qencode media storage region.
Currently available Qencode media storage regions are us-west and eu-central.

To authenticate a request to Qencode media storage bucket using the custom domain you can build a URL like this:

?auth=$TOKEN part is only required for buckets with authenticated access enabled.

Signed token structure

Once you save, the private key will be displayed, and a caution message will be visible instructing you to safely copy and save the Private Key for future uses. Please note, this key is shown only once.

The structure of a signed token includes a list of headers and payload values. Please see the list of supported headers and payload values below. You can also add your custom payload values to a JWT.

Generate JWT signed token using RS256 algorithm with the following structure:

headers: {
  "kid":  "<signing key id>",
  "alg": "RS256",
  "typ": "JWT",

payload: {
    "uri": "<key_path>", 
    "exp": "<expiration time>", 
    "nbf": "<not_before time>"
"kid"This is your signing key identifier and is mandatory.
"alg"Specifies the token signing method, which should be 'RS256'.
"typ"Indicates the type of token, which should always be 'JWT'.
"uri"(Optional) Contains directory or full path to the file with access granted using this token. Setting uri to an empty string authorizes the request to access any resource in the bucket.
"exp"(Optional) Sets the token's expiry time. If omitted, the token has no expiration.
"nbf"(Optional) Sets the token's activation time. If omitted, the token is immediately active.

Code samples in different programming languages you can use to generate a signed token.

Immediately secure the returned private key. This private key will not be present in the other API calls getting signing key data.

Deleting a signing key

You may choose to revoke access by deleting the Signing Key. In order to do this, please follow these steps:

To delete a Signed Key, pass the signing key ID via the delete signing key API method. The method and some examples can be found below:

Request Example

Deletes a signing key.

curl -H "Authorization: Bearer $ACCESS_TOKEN" 
 -X DELETE https://api-cdn.qencode.com/v1/signing-keys/$SIGNING_KEY_ID
Response Example
    "status": "ok"

  1. Navigate to the Signing Keys page in the Content Delivery section.

  2. Select the key you wish to delete.

  3. Click ‘Delete’ icon.

Expected Outcome: The key is invalidated, and URLs generated with it will no longer work.

Recommended Practices:

  • Periodically set expiration dates for JWT tokens.

  • Cycle keys on a regular basis.

  • Maintain unique keys for distinct JWT tokens.

  • Safeguard both JWT and public keys.


  • Once a private key is displayed, it will never be shown again.

  • Each key can only be utilized for a single bucket. You cannot use a single signing key across multiple buckets.

Need More Help?

For additional information, tutorials, or support, visit the Qencode Documentation pageLink or contact Qencode Support at support@qencode.com.