Referer-based hotlink protection is not completely secure. We recommend that you also use URL signing to protect ApsaraVideo Live resources against illegal downloads and unauthorized operations. This topic describes how to configure URL signing in the ApsaraVideo Live console.

How URL signing works

ApsaraVideo Live works with your live streaming server to implement URL signing to protect live streaming resources against hotlinking in a more secure and reliable manner.

  1. Your live streaming server provides a signed URL that contains authentication information.
  2. Stream ingest or streaming users send a request to ApsaraVideo Live by using the signed URL.
  3. ApsaraVideo Live verifies the authentication information in the signed URL to determine whether the request is valid. ApsaraVideo Live processes valid requests and rejects invalid requests.
Important After a request URL is authenticated by ApsaraVideo Live, special characters such as equal signs (=) and plus signs (+) in the URL are escaped.

For more information about the scenarios of URL signing, how it works, and the composition of a signed URL, see URL signing.


  1. Log on to the ApsaraVideo Live console.
  2. In the left-side navigation pane, click Domains to go to the Domain Management page.
  3. Find the streaming domain that you want to configure and click Domain Settings.
  4. Choose Streaming Management > Access Control.
  5. On the URL Authentication tab, click Change Settings.
    Change Settings
    • By default, URL signing is enabled for a domain name that you add. If you disable URL signing, make sure that you understand the risks related to unauthorized use of your resources and agree to the Disclaimer for Disabling URL Signing.
    • When URL signing is enabled, you can click Change Settings to modify the URL signing settings. When URL signing is disabled, you can turn on URL Authentication and then configure the URL signing settings.
  6. Configure the URL signing settings and click OK.
    URL Signing
    The following table describes the parameters.
    Parameter Description
    Authentication Type
    ApsaraVideo Live streaming domains support only the authentication type of Type A to protect resources on the origin server.
    Note If URL signing fails, an HTTP status code 403 is returned. In this case, you must recalculate the signature.
    • Invalid MD5 values

      Example: X-Tengine-Error:denied by req auth: invalid md5hash=de7bfdc915ced05e17380a149bd760be

    • Invalid timestamps

      Example: X-Tengine-Error:denied by req auth: expired timestamp=1439469547

    Primary Key After you add a domain name, ApsaraVideo Live generates a random primary key for the domain name. To view the primary key, click Domains in the left-side navigation pane and click the domain name. On the page that appears, choose Streaming Management > Access Control. Then, view the primary key on the URL Signing tab. You can also change the primary key.
    Secondary Key Specify a custom secondary key.
    Validity Period The signed URL can be used to initiate stream ingest or streaming requests only within the validity period. Persistent connections are established for stream ingest and streaming. Stream ingest and streaming requests that are initiated within the validity period are not dropped after the validity period expires. New stream ingest and streaming requests fail to be initiated after the validity period expires.

    The default validity period for a signed URL under a domain name that you add is 1 day or 1,440 minutes. You can specify a custom validity period for the signed URL.


URL signing