A signed URL contains a cryptographic signature proving it was generated by an authorized party. Any modified or forged URL is rejected.
For an image API, the signature (often HMAC-SHA256) is calculated server-side from the parameters and a secret. The image server re-checks the signature before processing: a third party can't create arbitrary variants, which protects your costs and your URLs' integrity.
Key points
HMAC signature
A digest calculated from parameters and a shared secret, impossible to forge without the key.
Server-side key
The secret never leaves the backend—you don't sign in browser JavaScript.
Costs protected
Without a valid URL, no transformation is served—your traffic stays tied to your actual usage.