This article explains the different ways the embargoed assets feature allows you to protect your assets. By default, the feature is disabled. When enabled, you must choose between one of three modes: preparation, unpublished assets protected, or all assets protected.
This is default mode for all spaces. When the embargoed assets feature is disabled, the Content Delivery API (CDA), Content Management API (CMA), and Content Preview API (CPA), will all return normal asset URLs. All assets in your space can be fetched without signatures.
This mode is intended to be used if you are transitioning an existing space to use embargoed assets.
When you enable the embargoed assets feature in preparation mode, the CDA, CMA, and CPA will continue to return public asset URLs. These assets can be fetched as usual, without signatures. Your site should continue to function with no change.
However, enabling preparation mode for your space additionally allows you to create asset keys, sign embargoed asset URLs, and retrieve asset files from signed URLs. This allows you to test your site and tooling to ensure that they can function with embargoed assets.
Once you are done with the implementation and ready to enforce secure asset URLs, you can select one of the options below.
With this mode enabled, only unpublished assets are protected.
The CDA, which returns only published content, will return public asset URLs. These assets can be fetched as usual, without signatures.
The CMA and CPA will instead return unsigned embargoed asset URLs. You must sign these URLs with a valid asset key before they can be retrieved. When this mode is enabled, any public asset URLs for unpublished assets in your space will cease functioning within 48 hours.
Important Note: For the purposes of embargoed assets, a particular asset (as determined by its ID) is considered published if it has been published in any environment in a space. It is important to keep this in mind when using multiple environments and/or environment aliases to prepare and publish content changes.
With this mode enabled, all assets — published and unpublished — are protected.
All Contentful APIs (CDA, CMA, and CPA) will return unsigned embargoed asset URLs. You must sign these URLs with a valid asset key before they can be retrieved. When this mode is enabled, all public asset URLs for assets in your space will cease functioning within 48 hours.