All Products
Search

This Product

    CDN:Type A signing

    Document Center

    CDN:Type A signing

    Last Updated:Mar 11, 2026

    URL signing protects resources on your site from unauthorized downloads or usage by other sites. This topic explains how type A signing works for Alibaba Cloud CDN and provides an example.

    How it works

    • Structure of a type A signed URL 

      http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>}
      Note

      The content in {} represents the encrypted information added to the standard URL.

    • Field descriptions

      Field

      Description

      DomainName

      The domain name of your CDN site.

      Filename

      The URL for the actual origin fetch. The Filename must start with a forward slash (/).

      auth_key

      The authentication information for the request. It consists of timestamp, rand, uid, and md5hash.

      timestamp

      The time when the signing server generates the signed URL. This value, along with the Validity Period of Signed URL, controls when the signed URL expires. The time is a 10-digit UNIX timestamp, which is the number of seconds that have elapsed since 00:00:00 on January 1, 1970.

      Note

      Set the TTL in the Configure URL Signing console. After the configuration is complete, the expiration time of the signed URL is timestamp + the validity period configured for CDN.

      rand

      A random number. Use a universally unique identifier (UUID) without hyphens (-). For example: 477b3bbc253f467b8def6711128c7bec.

      uid

      User ID. This field is not used. Set it to 0.

      md5hash

      A 32-character string calculated using the MD5 algorithm. It consists of digits and lowercase letters.

      Calculation method:

      sstring = "URI-Timestamp-rand-uid-PrivateKey" (URI is the relative path of the requested object, such as /Filename, and does not include parameters.)
md5hash = md5sum(sstring)

    • Authentication logic

      After a CDN server receives a request to access a resource, it checks whether timestamp + validity period of the signed URL is earlier than the current time.

      • If timestamp + validity period of the signed URL is earlier than the current time, the server determines that the URL has expired and returns an HTTP 403 error.

      • If timestamp + validity period of the signed URL is later than the current time, the server constructs a string in the sstring format (see the sstring format in the table). Then, it calculates the md5hash value using the MD5 algorithm and compares the calculated md5hash value with the md5hash value in the user's request.

        • If the values match, authentication is successful and the resource is returned.

          Note

          When authentication is successful, the signing parameters are removed from the URL to revert it to the original URL. This increases the cache hit ratio and reduces back-to-origin traffic. For example:

          • URL with signing parameters: http://DomainName/Filename?auth_key={<timestamp>-rand-uid-<md5hash>}

          • After successful authentication:

            • URL format used to generate the cache key: http://DomainName/FileName

            • URL format for the actual origin fetch: http://DomainName/FileName

        • If the values do not match, authentication fails and an HTTP 403 error is returned.

    Signed URL example

    The following example shows how type A signing is implemented.

    • Example conditions

      • Origin request object:

        http://domain.example.com/video/standard/test.mp4
        Note

        If the request URL contains Chinese characters or other non-ASCII characters, you must first encode the URL. Then, use the encoded URL to construct the string for hashing. For example:

        • Original URL: https://example.com/image/AlibabaCloud.jpg

        • Encoded URL: https://example.com/image/%E9%98%BF%E9%87%8C%E4%BA%91.jpg

      • The key is set to: aliyuncdnexp1234.

      • The signing server generates the signed URL at 08:00:00 on October 10, 2015 (UTC+8), which corresponds to the decimal integer value 1444435200.

    • Concatenation process

      1. The CDN server constructs a string to be hashed for calculating the md5hash. 

        /video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234

      2. Based on this string, the CDN server calculates the md5hash. 

        md5hash = md5sum("/video/standard/test.mp4-1444435200-0-0-aliyuncdnexp1234") = 23bf85053008f5c0e791667a313e28ce

      3. Generate the signed URL.

        http://domain.example.com/video/standard/test.mp4?auth_key=1444435200-0-0-23bf85053008f5c0e791667a313e28ce

    When a client uses the signed URL to make a request, if the md5hash value calculated by the CDN server is the same as the md5hash value in the request, which is 23bf85053008f5c0e791667a313e28ce, and the signed URL has not expired, authentication is successful. Otherwise, authentication fails.