Skip to main content
Authenticated transforms use HMAC-SHA256 signatures to prevent unauthorized access or URL manipulation. Use this for private media or to restrict which transformations can be applied.

Endpoint

Auth: Signature verification (no API key needed at request time)

Path parameters

signature
string
required
64-character HMAC-SHA256 signature. Computed server-side when generating the signed URL using your API_SECRET.s--a1b2c3d4e5f6... (64 hex chars)
transformations
string
Comma-separated transformation parameters, identical to the public /t/ endpoint. Must match the transformations used when the signature was generated.
path
string
required
Path to the file, identical to the public /t/ endpoint. Must match the path used when the signature was generated.

How signatures work

The signature is computed over the combination of transformations + file path using API_SECRET as the HMAC key. Any change to the URL (different params or path) will invalidate the signature. See Signed URLs for code examples on generating signatures.

Response

Same as the public transform endpoint, returns binary file content. Status codes:

Example

Signed URLs guide

How to generate signed URLs from your backend.

Public Transform

Unrestricted on-the-fly transformations.