Asset keys

Asset keys are used when signing Embargoed Asset URLs. This feature is only enabled for spaces on Premium/Enterprise plans that have enabled Embargoed Assets.

Asset key

Create an asset key

To sign embargoed asset URLs, you need to create an asset key. Secure asset URLs delivered by the CDA, CMA, or CPA will have a host of (images,assets,videos,downloads).secure.ctfassets.net. They cannot be accessed without first signing the URL.

Signing an embargoed asset URL is accomplished by the following steps:

1. Create an asset key for the space the asset URL belongs to. You must specify an expiresAt value, a Unix epoch timestamp in seconds, and this can be no more than 48 hours in the future.
2. Create a JWT with the embargoed asset URL as the sub (JWT subject). Sign the JWT with the asset key’s secret.
3. Affix to the original embargoed asset URL the following query parameters:
   • policy - the asset key’s policy
   • token - the JWT created in step 2
4. You may affix other query parameters as well, for example when using the Images API. These do not impact the validity of the signed URL.

By default, a signed asset URL will stop functioning after the expiresAt value that was specified when creating the asset key. When generating the JWT, you may optionally specify an exp (expiry) that will cause the signed URL to be unusable at the specified expiry time. If a per-URL expiry is greater than the expiresAt value specified when creating the asset key, the asset key’s expiresAt value will be used instead.