Secure Tokens

Secure tokens are used to check authenticity of requested links, protect resources from unauthorized access, and limit link lifetime. The authenticity of a requested link is verified by comparing the checksum value passed in a request with the value computed for the request. If a link has a limited lifetime and the time has expired, the link is considered outdated and the content will not be served. If the visitor for whom the secure token has been generated attempts to provide the URL to the protected content to other internet users, their requests will be rejected by PUSHR.

Secure tokens must be generated by your app, service or website on the fly for each visitor that requests to download or stream your content.

Once enabled, secure tokens will become effective within 5 minutes and your content will no longer be accessible without them. In order to minimize the impact for your legitimate visitors it is important to prepeare your app, service or website prior to activating this feature.

After activation, the secure tokens module will generate a secret key which you must use to dynamically generate tokens for your visitiors. The following example uses PHP to generate a simple token which will use a predefined secret, visitor's IP address and the path to the protected content ("video.mp4", residing in the "my_videos" directory) to create a unqiue token. The lifetime of this link will be set to 3600 seconds (1 hour). After expiration, the link will no longer be accessible to the visitor.


$secret = 'xxxx'; // Your secret can be found in your dashboard
$baseUrl = ''; // Your CDN URL or your CNAME
$protected_file = '/my_videos/video.mp4'; // Path to content being protected
$host = $_SERVER['REMOTE_ADDR']; // This line will get the visitor's IP address
$exp = time()+3600; // Link expiration: 3600 seconds (1 hour)
$md5 = base64_encode(md5($secret . $protected_file . $host . $exp, true));
$md5 = strtr($md5, '+/', '-_');
$md5 = str_replace('=', '', $md5);


After the secure token has been generated, it is time to construct the new link to your content:

$link = $baseUrl . $protected_file . '?st=' . $md5 . '&e=' . $exp; `

The only thing left is to echo $link; in place of the existing unsecure link.

Secure tokens will often cause issues when the user is using a VPN service, since some VPNs will rotate the IP addresses their customers use for each HTTP request. In that case the IP for which the token has been generated will differ from the IP requesting the protected content, which will result in HTTP 403.

External resources