Skip to main content
Authenticated transforms use HMAC-SHA256 signatures to prevent unauthorized access or URL manipulation. Use this for private media or to restrict which transformations can be applied.

Endpoint

GET /authenticated/s--{signature}/{transformations}/{path}
Auth: Signature verification (no API key needed at request time)

Path parameters

signature
string
required
64-character HMAC-SHA256 signature. Computed server-side when generating the signed URL using your API_SECRET.s--a1b2c3d4e5f6... (64 hex chars)
transformations
string
Comma-separated transformation parameters, identical to the public /t/ endpoint. Must match the transformations used when the signature was generated.
path
string
required
Path to the file, identical to the public /t/ endpoint. Must match the path used when the signature was generated.

How signatures work

The signature is computed over the combination of transformations + file path using API_SECRET as the HMAC key. Any change to the URL (different params or path) will invalidate the signature. See Signed URLs for code examples on generating signatures.

Response

Same as the public transform endpoint — returns binary file content. Status codes:
CodeMeaning
200Transformed file returned
400Invalid URL format or signature structure
401Signature does not match — tampered or wrong secret
404File not found

Example

GET /authenticated/s--a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2/w_400,h_400,c_fill/private/photo.jpg

Signed URLs guide

How to generate signed URLs from your backend.

Public Transform

Unrestricted on-the-fly transformations.