The URL authentication feature protects origin server resources from unauthorized download and access. CDN provides you with three authentication types. This topic describes the principle of authentication type C and illustrates it with examples.


Encrypted URLs can have the following formats:
  • Format 1
  • Format 2
Note The content enclosed by braces ({}) indicates the encrypted information that is added based on the standard URL.
The following table describes authentication fields.
Parameter Description
DomainName The domain name of the CDN node.
FileName The actual back-to-origin access URL. During authentication, the Filename field must start with a forward slash (/).
timestamp The time when the origin server is accessed. The time must be in the UNIX format. It is an unencrypted plain text string that is 10 digits in length. It indicates the number of seconds that have elapsed since 00:00:00 Thursday, 1 January 1970, expressed in hexadecimal format.
md5hash The string calculated by using the MD5 algorithm. It must be 32 characters in length, and can contain digits and lowercase letters.


The following example shows you how to implement authentication type C.
  • The value of the PrivateKey field: aliyuncdnexp1234.
  • The value of the FileName field: /test.flv.
  • The value of the timestamp field: 55CE8100.
  • The MD5 hash value is calculated as follows:
    md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd
  • The following encrypted URLs are generated:
    • Format 1:
    • Format 2:
When you use an encrypted URL to access a CDN node, the CDN node extracts encrypted string 1 and obtains FileName and access time of the original URL. The CDN node performs the following steps to validate the request based on the defined business logic:
  1. The CDN node uses Filename, access time, and PrivateKey of the original URL to perform MD5 encryption. The encrypted string 2 is generated.
  2. The CDN node compares string 1 and string 2. If the two strings are different, the request is rejected.
  3. The CDN node checks whether the difference between its current time and time in the original URL has exceeds the time limit t. The default value of t is 1,800 seconds.
    • If the time difference is less than the time limit, the CDN node returns a successful response.
    • If the time difference is greater than the time limit, the CDN node rejects the request and returns a 403 error.
    Note A validity period of 1,800 seconds indicates that authentication fails when the difference between the time you access the origin server and the preset access time is greater than 1,800 seconds. For example, if you set the access time to 2020-08-15 15:00:00, the request URL will expire at 2020-08-15 15:30:00.