Embargoed assets - FAQs

The embargoed assets feature allows you to control who has access to your assets. In this article, we answer frequently asked questions about the feature.

Are embargoed assets a paid feature?

Embargoed assets are available to all enterprise spaces at no additional cost. The feature is enabled on space-level as opposed to an individual asset-level. You can decide in which spaces you want to use embargoed assets. The feature is disabled by default.

Do embargoed assets work with Contentful environments?

Assets are not currently environment-sensitive. This is only relevant if you are attempting to protect only unpublished assets.

For the purposes of embargoed assets, if you have an asset with id ‘my-asset’ in your primary environment and that asset is unpublished, and at the same time you have an asset with the same id in your secondary environment that is published, such asset is considered published. It will be available through unsigned, public asset URLs.

Once the the embargoed assets feature is enabled for a given space, all requests for protected assets will require a correctly signed URL, regardless of the environment.

Are there any performance implications of using embargoed assets?

Validating an embargoed asset URL's signature introduces a small increase in request processing time. Based on our testing customers may see on average 20 to 40 ms of an additional latency per embargoed asset request.

How do I use embargoed assets with an existing project?

Please refer to the getting started tutorial to learn how to enable embargoed assets for existing projects.

Do embargoed assets work with static generated sites?

Yes, embargoed assets can be used with dynamically rendered applications as well as statically generated apps. However, some portions of authorization logic and URL signing must rely on dynamic logic. Please refer to our getting started tutorial for more information on the topic.

How do I audit embargoed asset requests?

If you need to audit embargoed asset requests related to a specific asset, you can request logs via Support. The team will be able to provide the logs related to specific asset including the following information:

  • A timestamp of the request
.

  • The IP address of the request origin
.

  • URL and query parameters
.

  • Edge location serving the request
.

  • Referrer header and user agent
.

NOTE: Embargoed asset request logs are retained for a maximum period of one year.

Can I customize error messages that are displayed to end-users at an attempt to access an embargoed asset?

If you decide to proxy requests for embargoed assets then you will be in full control of what message will be displayed to the end-user. You choose a message to display based on the response status code returned by our API. If you decide not to proxy requests, or if the user tries to access the embargoed asset directly, they will see a standard error message you get today when the asset can't be fetched.

Was this helpful?
add-circle arrow-right remove style-two-pin-marker subtract-circle