Reduce costs
Lower bandwidth and storage expenses without compromising quality.
Control exactly who watches your content, down to the individual link.
Signed URLs embed cryptographic tokens directly in playback links, ensuring that only authorized viewers with valid tokens can play your content. Each link expires at a specific time and is tied to a specific user or IP, making it impossible to share the URL without breaking playback. This gives you granular control over access without requiring login pages or complex authentication systems.
Generate or provide a secret key that signs URLs on your backend.
When users request content, your server creates a signed playback link with expiry and access rules.
Include the token and policy (expiry, IP restrictions, user ID) as URL parameters.
Qencode's CDN verifies the signature before serving the first segment.
Expired tokens fail, and shared links become useless after the expiry time.
Lower bandwidth and storage expenses without compromising quality.
Automate complex processing that would take hours manually.
Handle thousands of videos with the same API call.
Simple REST API with comprehensive SDKs and documentation.
A streaming service generates unique signed URLs for each user that expire after 24 hours, so shared links die immediately. Cut password sharing costs by 30% and improve per-user metrics for licensing negotiations.
An online course platform creates signed URLs per student per lesson that expire after the course ends. Ensure 100% compliance with instructor licensing and prevent former students from accessing updated materials.
A company creates signed URLs for internal videos that lock to employee IP addresses and expire when employment ends. Eliminate manual access revocation and prevent ex-employees from watching confidential content.
Watch a quick walkthrough showing how to configure and use Signed URLs through the Qencode dashboard and API.
| API Method | PUT /v1/buckets/<BUCKET_NAME>/policy/$POLICY_NAME to require signed URLs. POST /v1/signing-keys to create a signing key. |
| Signing Algorithm | JWT signed with RS256 |
| Token Format | JWT appended to the file URL as ?auth=<TOKEN> |
| Token Headers | kid, alg: "RS256", typ: "JWT" |
| Token Claims | uri, exp, nbf |
| Expiry Options | exp sets expiration time. If omitted, the token has no expiration. nbf sets activation time. |
| Access Restrictions | Bucket must use authenticated access. uri can restrict access to a directory or file; empty uri allows access to any resource in the bucket. |
| URL Format | https://<bucket>.media-storage.<region>.qencode.com/path/to/file?auth=<TOKEN> or custom domain URL with ?auth=<TOKEN> |
| Key Management | Private key is shown only once. Each signing key can be used for one bucket only. |
Generate JWT signed token using RS256 algorithm with the following structure:
headers: {
"kid": "<signing key id>",
"alg": "RS256",
"typ": "JWT",
}
payload: {
"uri": "<key_path>",
"exp": "<expiration time>",
"nbf": "<not_before time>"
}Copy this payload and use it with your API key to test Signed URLs on your own videos.
View Signed URLs TutorialIncluded with Delivery
Signed URLs are available with Qencode delivery. There is no separate feature fee for secure playback links; delivery traffic is billed based on usage.
We love creating powerful solutions that are aligned with the needs of your business.
Please send us a message if you have a question or Schedule a call for a demo to discuss your integration.
Contact us with any questions. We'd love to help.
Los Angeles, CA - (HQ)
San Francisco, CA
New York, NY