Glossary

Signed URL: what is it?

Definition
A signed URL contains a cryptographic signature proving it was generated by an authorized party. Any modified or forged URL is rejected.
For an image API, the signature (often HMAC-SHA256) is calculated server-side from the parameters and a secret. The image server re-checks the signature before processing: a third party can't create arbitrary variants, which protects your costs and your URLs' integrity.

Key points

HMAC signature

A digest calculated from parameters and a shared secret, impossible to forge without the key.

Server-side key

The secret never leaves the backend—you don't sign in browser JavaScript.

Costs protected

Without a valid URL, no transformation is served—your traffic stays tied to your actual usage.

From theory to practice

cloudphoto applies all of this on the fly, from a simple URL. 15-day free trial, no credit card.