# Authentication

#### self-signed URLs

The service uses **self-signed URLs** for authentication, ensuring secure access to image transformations. The authentication process involves signing the URL with an HMAC (Hash-based Message Authentication Code) hash. This hash is generated using your secret key, which guarantees the integrity and authenticity of the request. Each self-signed URL comprises the following components:

* **Signature**: An HMAC hash of the transformation path and expiry timestamp.
* **Expires**: A Unix timestamp that defines the validity period of the URL. Once this timestamp is reached, the URL becomes invalid and can no longer be used to access the service.
* **Id**: A unique identifier provided by the user

{% hint style="info" %}
If the expiry timestamp is not reached and the api key associated with the request is expired, the endpoint will be treated as expired.
{% endhint %}

Ensure that your API key and secret remain confidential to maintain the security of your signed URLs.

**🔑 Required Parameters**

| Parameter   | Type    | Description                                                  |
| ----------- | ------- | ------------------------------------------------------------ |
| `id`        | string  | A unique identifier for the request (e.g., user ID)          |
| `expires`   | integer | A Unix timestamp indicating when the request becomes invalid |
| `key`       | string  | Your API key (public identifier)                             |
| `signature` | string  | HMAC SHA-256 signature (hex-encoded lowercase)               |

> 🔒 If `expires` is in the past or the `signature` is invalid, the request will be rejected with `403 Forbidden`.

#### 🔏 Signature Generation

To sign a request, use HMAC-SHA256 on a string composed of the following:

```ini
data = "#{id}:#{expires}"
signature = HMAC_SHA256(secret, data)
```

#### Example in JavaScript

```javascript
const crypto = require("crypto");

// 'secret' is the API secret for your API Key in your portal

function generateSignature(id, expires, secret) {
  const data = `${id}:${expires}`;
  return crypto.createHmac("sha256", secret).update(data).digest("hex");
}
```

#### Example in Python

```python
import hmac
import hashlib

def generate_signature(id, expires, secret):
    data = f"{id}:{expires}".encode()
    return hmac.new(secret.encode(), data, hashlib.sha256).hexdigest()
```