Pre-Signed URL

A pre-signed URL is a temporary, cryptographically signed URL that grants limited access to a private resource without exposing credentials.

---

What problem does it solve?

• Your files are private

• You don’t want to expose credentials

• You still want to allow:

  • Temporary download

  • Temporary upload

  • Limited access

---

How it works (high level)

1. Server (trusted) has credentials (AWS/GCP/Azure)

2. Server cryptographically signs:

   • File path

   • Allowed action (GET / PUT)

   • Expiry time

3. A URL is generated with signature + expiry

4. Anyone with the URL can access the resource until it expires

---

Common use cases

✅ Secure file download
✅ Direct file upload from browser/mobile
✅ Sharing private assets temporarily
✅ Avoiding backend proxying of large files

---

Example (AWS S3)

A normal private S3 object:

s3://my-bucket/invoices/123.pdf

Pre-signed URL:

https://my-bucket.s3.amazonaws.com/invoices/123.pdf
?X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Expires=300
&X-Amz-Signature=abc123...

This:

• Expires in 300 seconds

• Allows only what was signed (e.g., GET)

---

Security properties

✔ Time-bound
✔ Permission-bound
✔ No credentials exposed
✔ Can be revoked by expiry

❌ If leaked, usable until expiry

---

Where you’ll see it

• AWS S3 (very common)

• Google Cloud Storage

• Azure Blob Storage

• CDN signed URLs

• Video streaming platforms

---