Signed Cookies

Authenticate viewers through persistent session tokens instead of URL parameters.

Overview

What It Is

Signed Cookies authenticate video playback through HTTP cookies instead of embedding tokens in URLs. After a user logs in, your server issues a signed cookie that proves they're authorized to watch. The cookie persists across multiple videos and page reloads, making it ideal for web applications where users authenticate once and browse content freely. Unlike signed URLs, cookies never appear in browser history, referrer headers, or server logs.

Coming Soon
Process

How It Works

  1. User authenticates

    Your app confirms the user's identity through login or SSO.

  2. Issue signed cookie

    Your server generates a cryptographically signed cookie with expiry and user ID.

  3. Browser stores the cookie

    The player automatically includes the cookie with every request.

  4. CDN validates silently

    Qencode checks the cookie signature and user permissions without redirecting.

  5. Access is revoked on expiry

    Expired cookies fail silently, forcing re-authentication.

Overview

Why Signed Cookies

Reduce costs

Lower bandwidth and storage expenses without compromising quality.

Save time

Automate complex processing that would take hours manually.

Scale effortlessly

Handle thousands of videos with the same API call.

Integrate in minutes

Simple REST API with comprehensive SDKs and documentation.

Use Cases

Who Uses Signed Cookies

VOD Platforms

A streaming service issues session cookies after login so users can browse and watch multiple videos without seeing token URLs in their browser history. Improve perceived security by 40%, reduce customer support questions about "why is my URL in Google history," and pass security audits requiring hidden tokens.

Enterprise

An internal company portal issues short-lived signed cookies tied to company VPN sessions so employees can't share permanent access links. Meet enterprise security requirements for session-based access and automatically revoke access when VPN ends.

EdTech

An online course platform issues cookies per student per course term so access automatically expires when enrollment ends. Simplify access revocation by tying it to session expiry instead of manual deprovisioning, reducing overhead.

Tutorial

How to Use Signed Cookies

Watch a quick walkthrough showing how to configure and use Signed Cookies through the Qencode dashboard and API.

Tutorial Video Coming Soon
For Developers

Technical Reference

Workflow TypeWeb application generates a signed token and sets it as a Qencode-Auth-Token cookie.
Cookie NameQencode-Auth-Token
API MethodPOST /v1/access_token, POST /v1/buckets/<bucket_name>/cors, and GET /v1/buckets/<bucket_name>/cors
PrerequisitesCustom domain for content delivery, signing key for the custom domain, bucket access policy set to Authenticated.
Domain SetupPlayer page runs on the main app domain; protected video content is served from a playback subdomain/custom domain.
CORS RequirementsAccess-Control-Allow-Origin: https://your-app-domain.com and Access-Control-Allow-Credentials: true
Allowed MethodAt least GET must be allowed for bucket content requests.
Player RequirementEnable credentials in the video player. For Qencode Player, use withCredentials: true.

Request Example

You can set the CORS policy for the bucket.

curl -X POST 'https://api-cdn.qencode.com/v1/buckets/signed-cookie-test/cors'  
-H 'Authorization: Bearer $ACCESS_TOKEN'  
-H 'Content-Type: application/json'  
--data '{
    "Access-Control-Allow-Origin": "https://your-app-domain.com",
    "Access-Control-Allow-Methods": "GET",
    "Access-Control-Allow-Credentials": "true"
}'

Copy this payload and use it with your API key to test Signed Cookies on your own videos.

View Signed Cookies Tutorial
Pricing

What It Costs

Included with Delivery

Signed Cookies are available with Qencode Content Delivery. There is no separate feature fee; delivery traffic is billed based on usage.

We love creating powerful solutions that are aligned with the needs of your business.

Please send us a message if you have a question or Schedule a call for a demo to discuss your integration.

Let's talk

First Name
Last Name
Company
Email
Your Message

Contact us with any questions. We'd love to help.

Los Angeles, CA - (HQ)

San Francisco, CA

New York, NY