Referer-based hotlink protection is not completely secure. We recommend that you use
URL authentication to protect resources on the origin server against illegal downloads
and misuse. This topic describes how to enable or disable the URL authentication feature
and how to verify a signed URL.
Background information
By default, content distributed by ApsaraVideo VOD is publicly available. Users can
access the content by using URLs. If you want to prevent your resources from hotlinking
and unauthorized access, you can use referer whitelist and blacklist, IP whitelist
and blacklist, and URL authentication to regulate access control. URL authentication
adds signature strings and timestamps to URLs to enhance access control.
For more information about URL authentication and the implementation logic, see Configure URL authentication.
Enable and configure URL authentication
Notice
- Before you enable URL authentication, make sure that you have configured URL authentication
rules, including authentication algorithms and cryptographic keys, on the origin server.
- The authentication logic on ApsaraVideo VOD must be the same as that on the origin
server.
- Log on to the ApsaraVideo VOD console.
- In the left-side navigation pane of the ApsaraVideo VOD console, choose .
- On the Domain Names page, find the domain name that you want to manage and click Configure in the Actions column.
- On the page that appears, click Resource Access Control.
- Click the URL Authentication tab. In the Set URL Authentication section, click Modify.
- In the URL Authentication dialog box, turn on URL Authentication and configure the authentication parameters.

The following table describes the parameters.
Parameter |
Description |
Authentication Method |
ApsaraVideo VOD supports only authentication method A to protect resources on the
origin server.
Note If URL authentication fails, a 403 error is returned. Causes of the error include:
|
Primary Key |
Specify the primary key for the selected authentication method. |
Secondary Key |
Specify the secondary key for the selected authentication method.
The primary and secondary keys have the same effect. The secondary key is used to
ensure a smooth switchover. If the primary key is changed, all generated playback
URLs that use the original primary key immediately become invalid. When you switch
the primary key to the secondary key, the generated playback URLs that use the original
primary key remain valid for a period of time. The secondary key works as a primary
key. This ensures a smooth switchover.
|
Default Validity Period |
Specify a validity period for signed URLs. Users can access ApsaraVideo VOD before
the signed URLs expire. The time when a signed URL expires is calculated based on
the following formula: Expiration time = Timestamp + Validity period.
- Default value: 30. Unit: minutes.
- For example, the timestamp of a signed URL is 2020-08-15 15:00:00 (UTC+8), and the
validity period is 30 minutes. In this case, the signed URL remains valid until 15:30:00
on August 15, 2020 (UTC+8).
|
Support Previewing |
If the preview feature is enabled, users can view or listen to a snippet of a video
or audio file, such as the first 5 minutes of the file. This feature is widely used
in paid services, such as video or audio content that charges non-members a fee. For
more information, see Configure the preview feature.
|
- Click OK.
After the configuration is complete, URL authentication takes effect for this domain
name.
If all your resources are in the ApsaraVideo VOD console, the console will automatically
generate a signed URL with an expiration time. You can also obtain the signed URL
by calling the
GetPlayInfo operation.
Note After URL authentication is enabled, the URLs of video files, audio files, thumbnails,
and snapshots are signed.
Verify the URL authentication result
To ensure that the authentication logic is correctly implemented, we recommend that
you run a test in the ApsaraVideo VOD console to verify whether the signed URLs are
correct.
- In the Generate Authentication URL section, configure the Original URL parameter and other authentication parameters.
The following table describes the parameters.
Parameter |
Description |
Original URL |
Enter a complete URL, such as https://www.aliyundoc.com .
|
Authentication Method |
By default, authentication method A is used. |
Authentication Key |
Enter the primary key or secondary key that you specified in Enable and configure URL authentication.
|
Validity Period |
Enter the validity period of the signed URL that you specified in Enable and configure URL authentication. Unit: seconds. Example: 1800.
|
- Click Generate to obtain the Authentication URL and Timestamp.
Disable URL authentication
Notice If URL authentication is disabled on ApsaraVideo VOD but user requests still carry
authentication parameters, ApsaraVideo VOD fails to remove the authentication parameters.
In this case, the requests cannot hit cache on ApsaraVideo VOD and are redirected
to the origin server. This increases network traffic on the origin server and data
transfer fees. If you want to disable URL authentication, make sure that URL authentication
is disabled on both the origin server and ApsaraVideo VOD.
- In the Set URL Authentication section, click Modify.
- In the dialog box that appears, turn off URL Authentication.
- On the origin server, delete the URL authentication settings.