The access problem
Edge content is public by default, so anyone with a URL can fetch it. For paid videos or private files you need access control that the edge can enforce without calling back to your origin on every request.
How signed URLs work
A signed URL carries a signature computed from the path, an expiry time, and a shared secret. The edge recomputes the signature using the same secret. If it matches and the time has not expired, the request is served. Otherwise it is rejected.
What you can bind
- Expiry so a link stops working after a window.
- Path or prefix so the token only unlocks intended objects.
- Client IP so a leaked link fails from another address.
Tokens versus cookies
A signed token can ride in a query string or a header. A signed cookie lets one grant cover many objects, handy for a video session with many segments. Either way the edge validates locally, so access checks stay fast and the origin is untouched.
Key idea
Signed URLs and tokens let the edge enforce time limited, tamper proof access locally, without consulting the origin on each request.