How is Token Authentication used in practice?

See real-world examples and code snippets on the Token Authentication glossary page at CDN Certified.

What concepts are related to Token Authentication?

Related terms include: Edge Server, Rate Limiting, SNI (Server Name Indication), TLS (Transport Layer Security).

Token Authentication

Security

Protecting CDN-delivered content with signed URLs or tokens that expire after a set time. Prevents hotlinking and unauthorized access without requiring the CDN to call your auth server on every request.

Updated Mar 9, 2026

Full Explanation

Token auth lets you control who can access CDN-cached content without losing the benefits of caching. The origin generates a signed URL (with an HMAC or similar), the CDN validates the signature at the edge, and serves the content only if the token is valid and hasn't expired.

This is essential for paid content, premium video streams, and download protection. Without token auth, anyone who discovers the CDN URL can access the content directly, share the link, and bypass your paywall entirely.

Most CDN providers support token authentication natively. You configure a shared secret on both your origin and the CDN. Your origin generates signed URLs with an expiry timestamp, and the CDN validates them at the edge. No origin callback needed, so cached content stays fast.

Examples

# Generate a signed URL (Python)
import hashlib, hmac, time

secret = b'your-cdn-secret-key'
path = '/premium/video.m3u8'
expiry = int(time.time()) + 3600  # 1 hour

message = f'{path}{expiry}'.encode()
sig = hmac.new(secret, message, hashlib.sha256).hexdigest()
url = f'https://cdn.example.com{path}?expires={expiry}&sig={sig}'

# Nginx: validate token
set $expected '';
set_hmac_sha256 $expected 'secret' $uri$arg_expires;
if ($arg_sig != $expected) { return 403; }
if ($arg_expires < $time_iso8601) { return 410; }

Frequently Asked Questions

# Generate a signed URL (Python)
import hashlib, hmac, time

secret = b'your-cdn-secret-key'
path = '/premium/video.m3u8'
expiry = int(time.time()) + 3600  # 1 hour

message = f'{path}{expiry}'.encode()
sig = hmac.new(secret, message, hashlib.sha256).hexdigest()
url = f'https://cdn.example.com{path}?expires={expiry}&sig={sig}'

# Nginx: validate token
set $expected '';
set_hmac_sha256 $expected 'secret' $uri$arg_expires;
if ($arg_sig != $expected) { return 403; }
if ($arg_expires < $time_iso8601) { return 410; }

Related CDN concepts include:

Edge Server — A CDN server located at the network edge, close to end users. Handles caching, SSL …
Rate Limiting — Restricting the number of requests a client can make within a time window. Protects origins …
SNI (Server Name Indication) (SNI) — A TLS extension that lets the client specify which hostname it's connecting to during the …
TLS (Transport Layer Security) (TLS) — The encryption protocol that secures HTTPS connections. TLS encrypts data in transit between client and …

Previous Term TLS (Transport Layer Security)

Next Term TTFB (Time To First Byte)

Back to Glossary