← Lessons

quiz vs the machine

Gold1400

System Design

The Presigned URL

Hand a client a time limited signed link so it uploads or downloads directly, bypassing your servers.

5 min read · core · beat Gold to climb

The problem

If every byte of every upload flows through your application server, that server becomes a costly bottleneck. A presigned URL lets the client talk to the object store directly while you still control who may do what.

How it works

Your backend holds the secret credentials. It signs a URL that encodes the bucket, key, allowed method, and an expiry time, then hands that URL to the client. The store verifies the signature on arrival and serves the request only until the URL expires.

What it gives you

  • Offloaded bandwidth: bytes skip your servers entirely.
  • Scoped access: the link works for one key, one method, for a short window.
  • No shared secrets: the client never sees your credentials.

Cautions

  • A leaked URL is valid until it expires, so keep windows short.
  • The signature pins the method, so an upload link cannot be reused to delete.

Key idea

A presigned URL is a short lived signed link that lets a client move bytes straight to the store without ever seeing your credentials.

Check yourself

Answer to earn rating on the learn ladder.

1. What does a presigned URL let a client do?

2. Why keep the expiry window short?