All Products
Search

This Product

    CDN:Type C signing

    Document Center

    CDN:Type C signing

    Last Updated:Feb 05, 2026

    The URL signing feature protects your site's resources from unauthorized downloads and use. Alibaba Cloud CDN provides four signing methods. This topic describes the principles of type C signing and provides examples.

    How it works

    • Structure of a signed URL for type C signing

      • Format 1 

        http://DomainName/{<md5hash>/<timestamp>}/FileName

      • Format 2 

        http://DomainName/FileName?{KEY1=<md5hash>&KEY2=<timestamp>}
      Note

      The content in {} is the encrypted information that is added to the standard URL.

    • Field description

      Field

      Description

      DomainName

      The domain name of your CDN site.

      PrivateKey

      A custom encryption key. It must be 16 to 32 characters long and can contain uppercase letters, lowercase letters, and digits.

      FileName

      The URL for the actual origin fetch. For signing, the FileName must start with /.

      timestamp

      The time when the signing server generates the signed URL. This field, along with the validity period of the signed URL, determines when the signed URL expires. The time is a Unix timestamp from the signing server. A Unix timestamp is the number of seconds that have elapsed since 00:00:00 UTC on January 1, 1970. It is a 10-digit positive decimal integer and is independent of the time zone. The timestamp is represented in hexadecimal format.

      Note

      In most cases, the validity period of the signed URL is the validity period configured for CDN. If you extend the validity period when you generate the signed URL, `timestamp` = UNIX timestamp + extended period. The actual validity period of the signed URL is `timestamp` + the period configured for CDN.

      md5hash

      A string calculated using the MD5 algorithm. It is a 32-character fixed-length string that consists of digits 0-9 and lowercase letters a-z.

      The value of md5hash is calculated from the following string.

      sstring = "Privatekey+URI+timestamp" (URI is the relative address of the requested object and does not contain parameters, such as /Filename)
md5hash = md5sum(sstring)

    • Authentication logic

      After a CDN server receives a request for a resource, it checks whether timestamp + validity period of the signed URL is earlier than the current time.

      • If timestamp + validity period of the signed URL is earlier than the current time, the server determines that the URL has expired and returns an HTTP 403 error.

      • If timestamp + validity period of the signed URL is not earlier than the current time, the server constructs a string in the sstring format. For information about how to construct the sstring, see the table. The server then uses the MD5 algorithm to calculate the md5hash value. Finally, the server compares the calculated md5hash value with the md5hash value in the user's request.

        • If the values match, the authentication is successful and the resource is returned.

          Note

          When authentication is successful, the signing parameters are removed from the URL to revert it to the original URL. This improves the cache hit ratio and reduces back-to-origin traffic. For example:

          • URL format with signing parameters: http://DomainName/FileName?{KEY1=<md5hash>&KEY2=<timestamp>}

          • After authentication succeeds:

            • URL format used to generate the cache key: http://DomainName/FileName

            • URL format for the actual origin fetch: http://DomainName/FileName

        • If the values do not match, the authentication fails and an HTTP 403 error is returned.

    Examples of signed URLs

    The following examples show how type C signing is implemented.

    • Example conditions

      • Origin request:

        http://domain.example.com/test.flv
        Note

        If the request URL contains Chinese characters or other non-ASCII characters, you must first encode the URL. Then, use the encoded URL to construct the string for hashing. For example:

        • Original URL: https://example.com/image/AlibabaCloud.jpg

        • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

      • Value of PrivateKey: aliyuncdnexp1234.

      • Value of timestamp: 55CE8100.

    • Stitching Flow

      1. The CDN server constructs a string to be hashed to calculate the md5hash. 

        aliyuncdnexp1234/test.flv55CE8100

      2. Based on this string, the CDN server calculates the md5hash value.

        md5hash = md5sum(aliyuncdnexp1234/test.flv55CE8100) = a37fa50a5fb8f71214b1e7c95ec7a1bd

      3. Generate the signed URL.

        • Format 1: 

          http://domain.example.com/a37fa50a5fb8f71214b1e7c95ec7a1bd/55CE8100/test.flv

        • Format 2: 

          http://domain.example.com/test.flv?KEY1=a37fa50a5fb8f71214b1e7c95ec7a1bd&KEY2=55CE8100

    When a client makes a request using the signed URL, the CDN server calculates its own md5hash value. If the calculated value matches the md5hash value in the request, which is a37fa50a5fb8f71214b1e7c95ec7a1bd, and the signed URL has not expired, the authentication is successful. Otherwise, the authentication fails.