Show search and navigation.

 

Generating Tokens

A factor that plays into the strength of a token value is the encryption key.
View best practices for defining an encryption key.

A token value is required to access all content protected by Token-Based Authentication. Before you can assign a token value to a link, you will need to generate it with the desired requirements. When generating a token, keep in mind that there is no limit to the number of parameters that can be combined. In other words, a token value can consist of a single or multiple parameters. Additionally, you should also keep in mind that certain parameters support multiple values. This permits a lot of flexibility when determining the requirements that must be met prior to content delivery.

Although there is no limit to the number of parameters that can be combined to form a token, there is a limit of 512 characters for the total length of a token. In order to prevent your clients from being inadvertently denied access to your content, please ensure that your token values never exceed 512 characters.

Generating tokens will not affect your Token-Based Authentication configuration in any way. Additionally, there is no limit to the number of token values that may be generated for a particular encryption key.

A token can be generated via:

Token values are not inherently folder or platform-specific. This means that a user that satisfies a token’s requirements can use that token to retrieve content from any protected folder that has been associated with the encryption key used to generate it, as long as the token’s requirements are not specific to that path or asset. This type of configuration makes it possible to gain access to protected content from various folders across different platforms.

Manually Generating a Token

An individual token value may be generated through the TCC. This can be accomplished through the Encrypt Tool section of the Token Auth page. The sole purpose of this section is to generate a token value based on either the primary or backup key.

To manually generate a token

  1. Review the available parameters.
  2. Assign a value to each parameter that a client must meet before content may be delivered.
  3. From the Key to Encrypt option, select the desired encryption key.
  4. From the Encryption Version option, select the desired version. The recommended encryption version is 3.0.
  5. Click Encrypt to generate a token specific to the selected key. This token value will appear next to the Generated Token label.

  6. Modify the desired request to include the above token value as a query string.

    Example:

    http://cdn.mydomain.com/sales.pdf?1234567890abcdefghijklmnop

Using Our Token Generator Application

An alternative method for generating token values is to use the Token Generator application. This application provides the means to generate tokens using a script. The advantage of this approach is that it allows token values to be tailored to content.

The Token Generator application includes the following components:

The Windows version of our executable requires BouncyCastle.Crypto.dll and Blowfish.dll. Please make sure that these assets are stored in the same folder as the encryption executable.

The proper syntax for specifying a single parameter is described below.

ectoken3 -2 KeyName "parameter=value"

The proper syntax for specifying multiple parameters is to use an ampersand (&) between parameters. This can be seen in the following syntax example:

ectoken3 KeyName "parameter1=value&parameter2=value1,value2"

For example, if you wanted to generate a token that meets the following requirements:

Then you would use the following syntax:

ectoken3 MyKey "ec_expire=1451563200&ec_country_allow=US,CA,MX&ec_ref_allow=*.TrustedDomain.com"

The token value associated with this configuration would be:

1ea46ba396e88f03a9f6b6b968b32d2fd88858148f120a1bbca7882de68b8b14a9bde8bcd6c36bcd30e8bbb47d9997ab7260381b4c1ed99de5baf805ed54fd3609e8066e43a92a5b2c7839ba95080d3668ab9dd47d9275d8eb29b8ccf8f49515745f18a66c

You would then append this token value to your protected content as can be seen below:

http://secure.server.com/MyProtectedAsset.html?1ea46ba396e88f03a9f6b6b968b32d2fd88858148f120a1bbca7882de68b8b14a9bde8bcd6c36bcd30e8bbb47d9997ab7260381b4c1ed99de5baf805ed54fd3609e8066e43a92a5b2c7839ba95080d3668ab9dd47d9275d8eb29b8ccf8f49515745f18a66c

The Token Auth page provides an "Encrypt Tool" that can generate tokens. This tool will also display the corresponding call through which our Token Generator application (i.e., ectoken3) can generate the same token. This sample syntax will appear next to the Token Generator Call label.

Building a Custom Token Generator

Leverage our open-source repository to create a custom application to generate token values. This repository, which is hosted on GitHub, contains C, C++, C#, PHP, Perl, and Python source code.

This repository is located at:

https://github.com/edgecast/ectoken