It depends on the object's access control list (ACL). Public objects support fixed URLs; private objects require a signed URL that expires after a configured period.
Public objects (public-read or public-read-write)
If the object ACL is set to public-read or public-read-write and its storage path has not changed, the URL remains the same indefinitely. Use the following format to access it:
<http or https>://<Bucket>.<Endpoint>/<Object>Example: https://examplebucket.oss-cn-hangzhou.aliyuncs.com/example.txt
Public ACLs expose objects to anyone with the URL, which can result in unauthorized access and unexpected fees. Use public ACLs only for content that is intentionally public, such as static assets served by a website. For all other content, keep objects private and use signed URLs. For more information, see Object ACLs.
Private objects
If the object ACL is private, only the owner can access it directly. To share access, generate a signed URL that embeds a time-limited signature:
<http or https>://<Bucket>.<Endpoint>/<Object>?SignatureThe signature expires after a configured period, so signed URLs cannot serve as fixed permanent links. For details on generating signed URLs, see Add signatures to URLs.
To ensure data security, we recommend setting the ACL of an object to private. Only the object owner can perform read and write operations on private objects.