Authentication

self-signed URLs

The service uses self-signed URLs for authentication, ensuring secure access to image transformations. The authentication process involves signing the URL with an HMAC (Hash-based Message Authentication Code) hash. This hash is generated using your secret key, which guarantees the integrity and authenticity of the request. Each self-signed URL comprises the following components:

• Signature: An HMAC hash of the transformation path and expiry timestamp.

• Expires: A Unix timestamp that defines the validity period of the URL. Once this timestamp is reached, the URL becomes invalid and can no longer be used to access the service.

• Id: A unique identifier provided by the user

If the expiry timestamp is not reached and the api key associated with the request is expired, the endpoint will be treated as expired.

Ensure that your API key and secret remain confidential to maintain the security of your signed URLs.

🔑 Required Parameters

Parameter	Type	Description
id	string	A unique identifier for the request (e.g., user ID)
expires	integer	A Unix timestamp indicating when the request becomes invalid
key	string	Your API key (public identifier)
signature	string	HMAC SHA-256 signature (hex-encoded lowercase)

🔒 If expires is in the past or the signature is invalid, the request will be rejected with 403 Forbidden.

🔏 Signature Generation

To sign a request, use HMAC-SHA256 on a string composed of the following:

data = "#{id}:#{expires}"
signature = HMAC_SHA256(secret, data)

Example in JavaScript

const crypto = require("crypto");

// 'secret' is the API secret for your API Key in your portal

function generateSignature(id, expires, secret) {
  const data = `${id}:${expires}`;
  return crypto.createHmac("sha256", secret).update(data).digest("hex");
}

Example in Python

import hmac
import hashlib

def generate_signature(id, expires, secret):
    data = f"{id}:{expires}".encode()
    return hmac.new(secret.encode(), data, hashlib.sha256).hexdigest()