All Products
Document Center

URL signing

Last Updated: Aug 13, 2019


The URL signing feature protects the content uploaded to ApsaraVideo for VOD against illegal download and hotlinking. Using a referer blacklist and whitelist with hotlinking protection can resolve certain hotlinking issues. However, because the referer content can be forged, referer-based hotlinking protection cannot protect all resources. Using URL signing is a more effective way to protect the security of origin resources.


The URL signing feature uses Alibaba Cloud CDN nodes together with client resource sites to provide more secure and reliable hotlinking protection for origin resources. URL signing is implemented as follows:

  1. The CDN client site provides you with a signed URL (including permission verification information).
  2. You use the signed URL to send a request to a CDN node.
  3. The CDN node verifies the permission information in the signed URL to determine the legality of the request. The CDN node responds to legal requests and rejects illegal ones. This effectively protects the resources of CDN client sites.


  • Configure the ApsaraVideo for VOD console.

    1. Log on to the ApsaraVideo for VOD console and choose Domain Names in the left-side navigation pane.

    2. On the Domain Names page, click Configure for the target domain name.1

    3. Choose Resource Access Control in the left-side navigation pane, click the URL Authentication tab, and then click Modify.2

    4. In the URL Authentication dialog box, turn on the URL Authentication switch.3

  • After URL signing is enabled, ApsaraVideo Player SDKs and the API or SDK for obtaining playback URLs automatically generate playback URLs with a validity period. To generate a dynamic signed URL, see the signing method described below.

Note: After URL signing is enabled, the URLs of video, audio, thumbnail, and snapshot files are all signed.

  • The primary and secondary keys are equally effective. The secondary key is used to ensure that the primary key can be changed smoothly without causing service interruption. If you directly change the primary key without using any secondary key, all the playback URLs created with the primary key immediately become invalid. If you change the primary key to the secondary key, the playback URLs created with the original primary key are not made invalid immediately. The video playback service is still available with the secondary key.

  • After you set the Default Validity Period parameter for the target domain name, all URLs using the domain name have the specified validity period. You can also customize the validity period for a single URL.

Note: If the Default Validity Period parameter is set, CDN adds the default validity period to the timestamp parameter value to determine the expiration time of a URL.

Signing method

Signed URL structure

  1. http://DomainName/Filename?auth_key=timestamp-rand-uid-md5hash

A signed URL consists of a file URL and an access token (auth_key). The value of the md5hash parameter in the access token is calculated by the MD5 algorithm based on the authentication key and expiration time. The access token has a specific validity period. The following table describes the timestamp, rand, uid, and md5hash parameters.

Authentication parameter description

Name Description
timestamp The URL expiration time. The value is a UNIX timestamp representing the number of seconds that have elapsed since 00:00:00 on January 1, 1970.
CDN adds the value of the Default Validity Period parameter to the timestamp parameter value to determine the expiration time of a URL.
rand The random number, which is generally set to 0. To generate a different URL each time, you can use the UUID as the random number.
uid The additional parameter, which is generally set to 0.
md5hash The MD5 hash calculated by the MD5 algorithm. The value is a combination of digits 0 to 9 and lowercase English letters a to z, with a fixed length of 32 characters.

URL expiration time

When the time specified by the Default Validity Period parameter plus the timestamp parameter value elapses, a signed URL expires. In this case, CDN returns HTTP error 403.
For example, if the timestamp parameter is set to 1597474800 (2020-08-15 15:00:00) and the Default Validity Period parameter is set to 30 minutes, the actual expiration time is 2020-08-15 15:30:00.

md5hash calculation method

  1. sstring = "URI-timestamp-rand-uid-PrivateKey"
  2. md5hash = md5sum(sstring)
  • URI: the relative path of the requested file, excluding parameters. For example, /Filename.
  • PrivateKey: the authentication key configured in the ApsaraVideo for VOD console. Either the primary key or secondary key can be used.
  • md5sum: the function for calculating the MD5 hash. Use the MD5 hash calculation function provided by your development language.


  1. Assume that the URL of the requested file is as follows:
  1. Set the authentication key to aliyuncdnexp1234 (primary key or secondary key configured in the ApsaraVideo for VOD console).

  2. Set the expiration time of the signed URL to 2015-10-10, 00:00:00 (UNIX timestamp: 1444435200).

  3. Assemble the string for calculating the md5hash value as follows:

  1. /video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234"

Assume that both the rand and uid parameters are set to 0.

  1. Calculate the Md5hash value as follows:
  1. md5hash = md5sum("/video/standard/1K.html-1444435200-0-0-aliyuncdnexp1234") = 80cd3862d699b7118eed99103f2a3a4f
  1. Obtain the request URL as follows:

In the preceding URL, the auth_key parameter indicates the access token contained in the signed URL.