Secure token

Secure tokens protect your content by generating a unique hash that prevents unauthorised access to access your URL / file.

To enable the secure token option, just click on the "Secure Token" option in the Access Protection section after selecting the CDN Resource. Once enabled, you're presented with a key that is used as part of the process of generating secured links.

You can customise the link expiry with a timestamp. The most secure option is to include an IP address, should you wish to have full control over who's accessing your content and create links per user and the relevant IP address.

Main functions

  • Secure tokens allow you to generate links to your live stream with an expiration time, effectively protecting your content.
  • Generated secure links provide the content only within a predefined period of time and only to visitors who have the links which contain the secure hash.
  • It is not possible to request secured content without a valid (non-expired) hash from the CDN resource.
  • After the expiration time, the links are unavailable, and new ones must be generated in order to request the secured content again.

Hash

The hashing function of the secure token generator makes use of a standard MD5 message-digest algorithm which produces a 128-bit hash value.

Specifying the secure token path

If you plan on enabling Secure Tokens, you will then need to correctly generate the URLs to access your files through the CDN.

When activating secure tokens in your account, you're presented with the option to choose either Parameter or Path.

With regards to live-streaming, it is important that you set the secure tokens to Path. That way the CDN is able to properly secure your streams, using the PHP secure token generator which functions based on your live stream path.

It is also possible to create a similar generator in another programming language of your choice, the generator is not limited to the PHP examples below.

Generating Secure Token Links

To generate using the Path secure token option, use the following code example:

?php
/**
* Create hash link Path CDN Resource
*
* @param string $cdnResourceUrl
* @param string $filePath
* @param string $secureToken
* @param ?int $expiryTimestamp
* @return string
*/
function getSignedUrlPath(string $cdnResourceUrl, string $filePath, string $secureToken, ?int $expiryTimestamp = NULL) : string
{
// because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
// for which we generate the secure token. Because of that, everything included after the last slash is stripped.
$strippedPath = substr($filePath, 0, strrpos($filePath, '/'));

// replace invalid URL query string characters +, =, / with valid characters -, _, ~
$invalidChars = ['+','/'];
$validChars = ['-','_'];

if ($strippedPath[0] != '/') {
$strippedPath = '/' . $strippedPath;
}

if ($pos = strpos($strippedPath, '?')) {
$filePath = substr($strippedPath, 0, $pos);
}

$hashStr = $strippedPath . $secureToken;

if ($expiryTimestamp) {
$hashStr = $expiryTimestamp . $hashStr;
$expiryTimestamp = ',' . $expiryTimestamp;
}

// the URL is however, intentionally returned with the previously stripped parts (eg. playlist/{chunk}..)
return 'http://' . $cdnResourceUrl . '/' .
str_replace($invalidChars, $validChars, base64_encode(md5($hashStr, TRUE))) .
$expiryTimestamp . $filePath;
}

Usage example

$signedUrlPath = getSignedUrlPath('1234456789.rsc.cdn77.org', '/file/playlist/d.m3u8', 'ykX1QNTRvp3tfSn8', 1389183132);

// http://1234456789.rsc.cdn77.org/z--FA_CsNsR2TOV2eg9q4w==,1389183132/file/playlist/d.m3u8

Generating Secure Token Links for an IP Address

The following example outlines how to use Secure Tokens with an additional IP address parameter. This enables you to lock a specific link to an IP address, while also making use of secure tokens. Please ensure that you also set the Secure Tokens to Path when using this feature.

<?php
    /**
    * Create hash link Path CDN Resource
    *
    * @param string $cdnResourceUrl
    * @param string $filePath
    * @param string $ip
    * @param string $secureToken
    * @param ?int $expiryTimestamp
    * @return string
    */
    function getSignedUrlPath(string $cdnResourceUrl, string $filePath, string $ip, string $secureToken, ?int $expiryTimestamp = NULL) : string
    {
        // because of hls/dash, anything included after the last slash (e.g. playlist/{chunk}) shouldn't be part of the path string,
        // for which we generate the secure token. Because of that, everything included after the last slash is stripped.
        $strippedPath = substr($filePath, 0, strrpos($filePath, '/'));
        
        // replace invalid URL query string characters +, =, / with valid characters -, _, ~
        $invalidChars = ['+','/'];
        $validChars = ['-','_'];
        
        if ($strippedPath[0] != '/') {
            $strippedPath = '/' . $strippedPath;
        }
        
        if ($pos = strpos($strippedPath, '?')) {
            $filePath = substr($strippedPath, 0, $pos);
        }
        
        $hashStr = "$strippedPath"."$ip" . "$secureToken";
        
        if ($expiryTimestamp) {
            $hashStr = $expiryTimestamp . $hashStr;
            $expiryTimestamp = ',' . $expiryTimestamp;
        }
        
        // the URL is however, intentionally returned with the previously stripped parts (eg. playlist/{chunk}..)
        return 'https://' . $cdnResourceUrl . '/' .
        str_replace($invalidChars, $validChars, base64_encode(md5($hashStr, TRUE))) .
        $expiryTimestamp . $filePath;
    }
    
    $signedUrlPath = getSignedUrlPath('1234567890.rsc.cdn77.org', '/live/playlist.m3u8', '1.2.3.4 ', 'sauhc8s2jscks', 1617203518);
echo $signedUrlPath;

Related guides:

SSL & TLSEnable SSL/TLS certificates for your CDN Resource or CNAMEHotlink protectionLock your content and allow access from specified domains onlySmartWAFProtect your application/website from malicious attack.IP protectionAllow / Block specific IP address or IP range per CDN ResourceGeo protectionAllow or Block specific countries per CDN ResourceOrigin protectionConfigure Origin Protection (proxy) between CDN and Origin