Basic Setup and Usage

A valid Token-Based Authentication setup consists of setting up a platform-specific configuration and updating links. This type of setup will cause the CDN to require authentication prior to content delivery. This basic workflow is outlined below.

Workflow Description


A valid Token-Based Authentication setup requires that the following steps be performed:

Phase 1: Platform-specific configuration

  1. Set an encryption key.
  2. Define the set of content that will require authentication by performing one or both of the following actions:

Phase 2: Updating links

  1. Generate tokens.
  2. Update links (href and src) to include a valid token value.

CDN Traffic

Requests for the above content:

  1. Require a valid token.
  2. Must meet the requirements defined in the token.

Phase 1: Platform-Specific Configuration

Perform the following steps to define the content that will require authentication:

  1. Decide which platformIdentifies the environment through which your content will be efficiently delivered to your users.s will require authentication.

  2. Define an encryption key for each desired platform.
  3. Define the set of content that will require authentication. This may be defined by either:

    • Directory: Define a directory whose contents will require authentication. Token-Based Authentication will be applied to all requests for content in that directory or a sub-folder of that location.
    • Rules Engine: Rules Engine, which must be purchased separately, can be configured to enable or disable Token-Based Authentication when a request meets predefined criteria.

      Learn more.


      The following sample configuration indicates how Token-Based Authentication can be applied to all requests for PDFs:

Phase 2: Content Linking

The next phase involves the following steps:

  1. Generating encrypted tokens that define the minimum access requirements.
  2. Updating CDN/edge CNAME URLs defined in href and src attributes to include the above encrypted token value as a query string parameter.

Only the content defined in phase 1 will require authentication. All other content may be accessed using a standard CDN or edge CNAME URL.

Sample request:

The above request's query string, which is marked in bold, blue font, represents a token value.

Request Handling

A request for content defined in phase 1 must meet the following criteria:

More Information:

  1. An authorized request must contain a valid token that is appended to the file name in the CDN or edge CNAME URL.

    Sample request:
  2. Our edge servers will decrypt the token using either the current primary or backup encryption key for the platform associated with the request. The decrypted value will reveal the requirements for the requested content.
  3. The user must satisfy all of the requirements defined for the requested content.

    • Content will be delivered when the requester meets all of the requirements defined in the decrypted token value.
    • The request will be denied when the requester cannot satisfy one or more requirements. Denied requests may be redirected to a different web page.