Security

URLs signed in HMAC-SHA256

Only transformations you sign are served—impossible for a third party to generate variants instead of you.
An open image API is an open door: anyone can create thousands of variants and explode your egress bill. Cloudphoto signs each URL in HMAC-SHA256 with your token's secret. An unsigned URL, or one signed with the wrong key, is rejected.
See pricing
URLs signed in HMAC-SHA256
URL example
?width=900 &format=auto

What's changing

Costs under control

No unauthorized variant can be generated. Your egress follows your real pages, not a scraper's whim.

Server-side key

The signature is calculated on your backend. The HMAC key never leaves the server, never in browser JS.

Parameter integrity

The signature covers the parameters and source URL: no one can hijack your token to another image.

Ready to deliver faster images?

15-day free trial, no credit card. No SDK, no server to manage.