Configure Basic URL Signing

You can use this document to learn how to configure URL signing via the StackPath API.

You can use URL signing to protect your CDN assets by ensuring that only authorized end users are able to access your assets. 

URL signing can be used to:

  • Set an expiration time on a given URL
  • Verify the URL was requested by the same IP addresses that issued the URL
  • Only allow certain user agents to access your URLs

Assets delivered with URL signing enabled use an MD5 hash appended to the URL to validate that access should be granted.


This guide focuses on how to use the API for URL signing. To learn how to use the StackPath Control Portal to perform the same action, see EdgeRules: Configure URL signing from the Control portal.

Reviewing Configuration Options for URL Signing Rule 

When you create a URL signing policy, there are some required configurations, as well as some optional configurations. 

Review the list below to understand your configuration options:

  "configuration": {
    "authUrlSign": [{
      "id": "string", 
      "tokenField": "string",      // Required
      "ignoreFieldsAfterToken": true,
      "passPhraseField": "string", // Required
      "passPhrase": "string",      // Required
      "expiresField": "string",
      "ipAddressField": "string",
      "uriLengthField": "string",
      "userAgentField": "string",
      "enabled": true,             // Required
      "methodFilter": "string",
      "pathFilter": "string",
      "headerFilter": "string"

Creating a URL Signing EdgeRule 

You must create a rule to enforce the authorization token when fetching URLs.

In this example, an EdgeRule will be created on a default scope, which indicates that the rule must be restricted to the appropriate pathFilter. 

In the following example, the rule will enforce URL signing on /signing/*

curl -H 'accept: application/json' -H 'Authorization Bearer BEARER_TOKEN' \
-X POST '' -d '
 "configuration": {
 "authUrlSign": [{
  "tokenField": "tokenfield123",
  "ignoreFieldsAfterToken": true,
  "passPhraseField": "passphrasefield",
  "passPhrase": "passphrase123",
  "enabled": true,
  "pathFilter": "signing/*"
 "name": "URL Signing on signing",
 "slug": "url-signing-on-signing"

Building Signed URLs

Review how to build signed URLs:

TTL (optional)Epoch time + 1 day (1534623693 at the time of this article)
passPhraseFieldpassphrasefield (from example above)
passPhrasepassphrase123 (from example above)
Unencoded URL
  • Encode the following portion of the URL: /videos/myfirstvideo.mp4?ttl=1534623693&passphrasefield=passphrase123
  • The URLs are encoded with MD5, so you can use the following command on a Mac to get the encoded piece: echo -n "/videos/myfirstvideo.mp4?ttl=1534623693&passphrasefield=passphrase123" | md5
  • The encoded piece is 8dcd148c1553d6a0b08c2dc3f6006c0e, which creates a post-encoded output of