Back
Media Acceleration VoD
CDNetworks Documentation Media Acceleration VoD Access Control About Token Authentication

About Token Authentication

Last update:2026-04-22 16:25:23

Token Authentication is a sophisticated content protection strategy that enhances security compared to traditional access control measures like IP Allowlists/Blocklists, Referer, Cookie and User-Agent checks. This method embeds authentication information directly within the content URL, such as timestamps and encrypted strings. When a user requests content from a Content Delivery Network (CDN), they must present a URL containing the valid authentication details. The CDN then verifies this information to determine whether to grant or deny access, effectively preventing unauthorized use of content URLs.

How It Works

The typical Token Authentication process involves the following key components:

  • Content Management Server: This server is responsible for generating authenticated URLs based on predefined rules. These rules include the specific authentication algorithm and key. Once generated, these URLs are provided to the client.
  • User (Client): The user, or client application, uses the authenticated URL provided by the content management server to request the desired content from the CDN edge servers.
  • CDN Edge Server: Upon receiving a request with an authenticated URL, the CDN edge server performs a validation check. This involves verifying the embedded authentication information, such as the timestamp and signature, to determine the legitimacy of the request. Based on the validation outcome, the CDN either serves the requested content or denies access.

ccd3762be0b54075ba637dba3d36f1f1.png

Example Scenario

Consider a scenario where you need to protect an image file located at http://example.com/test.jpg. The URL authentication process would proceed as follows:

  1. Request for Authenticated URL: The user (client) initiates a request to the content management server for the URL of the protected content.
  2. Authenticated URL Generation: The content management server, based on its configured rules (including the authentication algorithm and key), generates a time-sensitive URL with an embedded token. For instance: http://example.com/test.jpg?token=123. This authenticated URL is then returned to the user.
  3. Content Request from CDN: The client uses the generated authenticated URL to request the content from the CDN edge servers.
  4. Authentication and Content Delivery: The CDN edge server receives the request and validates the authentication information present in the URL (in this case, the token parameter). If the authentication is successful, the CDN serves the test.jpg image to the client. If the authentication fails (e.g., the token is invalid or expired), the CDN denies the request.

How to Set Up Token Authentication

  1. Log in to the CDNetworks Console and select the appropriate product.
  2. Go to the Configuration, locate the domain you wish to configure, and click Edit Configuration image.png.
  3. Navigate to Access Control - Token Authentication in the left sidebar and click Modify.
  4. Configure the Apply to, Authentication Mode and other settings based on your needs.

Apply to
You can typically define the scope of requests to which URL authentication will be applied. Common options include:

Setting Description
All Requests Apply Token authentication to all types of requests for the specified domain.
Only Homepage Apply only to the root directory of the domain, such as http://domain/ or https://domain/.
Specified File Type Apply only to specific types of files. You can select from the predefined file types on the left or define custom file types. Separate multiple custom types with a semicolon ; (e.g., jpg;png).
Specific Directory Applies to requests under specific directories. For example, /file/abc/ applies to all content under http://domain/file/abc/*.
Note: Directories must start and end with /, and can only contain letters, numbers, and certain special characters (underscore, hyphen, percent sign, dot). Multiple directories are supposed to be separated with line breaks.

Advanced Scope Conditions
You can further refine the rule’s scope using Advanced Scope Conditions. These conditions will intersect with the basic Apply to for precise control. Select one or more parameters to form an AND relationship with the basic Apply to to target specific requests or responses.

Parameter Description
Exclude File Type Excludes certain file types. Separate multiple types with ;.
Exclude Custom File Type Excludes custom file types as needed. Separate multiple types with ;.
Exclude URL (Regex) Excludes URLs using regex, e.g., .*\.jpg$.
Exclude IPs and CIDR Blocks e.g.,1.1.1.0/24:1.1.0.1/32.

Authentication Mode
You can select from five authentication modes available on the CDNetworks Console, each tailored to different needs and situations:

How to Verify Token Authentication

Due to the complexity of Token Authentication settings, it is advisable to deploy configurations to a staging environment first to avoid impacting your live operations. Once verified as correct, you can apply them to the production environment. For detailed guidance on deploying the configurations to a staging environment, refer to Verify Configurations Through Pre-Deployment.

Additionally, you can use the Token Generator image.png available on the CDN Console to automatically generate Token Authentication parameters for test and verify whether the authentication parameters will be successfully passed by the CDN edge servers. For more on how to use this tool, visit Token Generator.

Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!

CDNetworks Inc., © 2025. 1840 Enterprise Way, Monrovia, CA 91016 – All rights reserved.