Updates and Announcements

Release Notes

Announcements

User Tutorial

Product Introduction

Product Overview

Strengths

Use Cases

Term

Use Limits

CDN Performance Descriptions (Spot-check)

Purchase Guide

CDN Purchase Guide

ECDN Purchase Guide

Getting Started

Configuring CDN from Scratch

Adding Domain Names

CNAME Configuration

Domain Name Ownership Verification

FAQs about Domain Name Connection

Configuration Guide

Domain Management

Domain Name Configurations

Statistical Analysis

Purge and Prefetch

Log Management

EdgeOne

Service Query

Offline Cache

Permission Management

Permission Configuration

Console Permissions

Activate Real-time Logging as Sub-account/Collaborator

Use Cases

Accelerating Resources on COS with CDN

Practical Tutorial

Guide to Using the EdgeOne Tool for Migrating Content Delivery Network (CDN) Related Services

CDN - CVM

CDN - COS

Configuring CNAME via DNSPod

Regularly Storing CDN Logs

API Documentation

History

Introduction

API Category

Content Management APIs

Real-time Log APIs

Service Query APIs

Data Query APIs

Making API Requests

Log Query APIs

StopCdnDomain

Configuration Management APIs

Obsoleted APIs

Other APIs

Data Types

Error Codes

FAQ

Features

Billing

FAQs about Domain Name Connection

Cache Configuration FAQs

Purge and Prefetch

Statistical Analysis

FAQs about HTTPS

Connection

Errors

Troubleshooting Methods

Status Codes and Solutions

Node Cache Inconsistency

Slow Access Speed After CDN Activation

Low Traffic Hit Rate

404 Status Code

Page Display - CORS error

Resource Cache Failure

Service Level Agreement

Glossary

TypeA

PDF

Focus Mode

Font Size

Last updated: 2025-12-25 16:45:24

You can add authentication to prevent hotlinking of your website. Tencent Cloud supports Type A, B, C and D authentication. This document describes details of Type A authentication.
Algorithm Description
Access URL formathttp://DomainName/Filename?sign=timestamp-rand-uid-md5hash
Note: 
The access URL cannot contain any Chinese characters.
Description of authentication fields
Field
Description
DomainName
CDN domain.
Filename
Resource access path. During authentication, `Filename` must start with a slash (/).
timestamp
The time when the server generates the authentication URL. It is a positive hex integer Unix timestamp, which is the total number of seconds between 00:00:00, January 1, 1970, UTC time and the URL generation time. Its definition is irrelevant to the time zone.
rand
A random string consisting 0-100 characters ([0-9], [a-z], [A-Z]).
uid
User ID (not in use), which defaults to 0. 
md5hash
A string containing 32 characters calculated based on the MD5 algorithm. It is calculated as follows: 
• md5hash = md5sum(uri-timestamp-rand-uid-pkey).
• uri: It is the resource access path and must start with a slash (/).
• timestamp: Its value is the above timestamp.
• rand: Its value is the above rand.
• uid: Its value is the above uid.
• pkey: It can contain 6 to 40 letters and digits. It should be kept private and disclosed to only the client and server.
Authentication logic description 
After the CDN server receives a user request, it parses the timestamp parameter in the URL and the validity period of the authentication URL and compares it with the current time.
1.1 If the sum of timestamp and the validity period of the authentication URL is before the current time, the server judges that the URL has expired and is invalid and returns the HTTP error code 403.
1.2 If the sum of timestamp and the validity period of the authentication URL is after the current time, the server uses the MD5 algorithm to calculate the value of md5hash and it with the md5hash value passed in by the URL. If they are the same, the request will pass the authentication; otherwise, the HTTP error code 403 will be returned.
Configuration Directions
Here we take Type-A authentication as an example. 
Field configuration
Authentication key: dimtm5evg50ijsx2hvuwyfoiu65
Signature parameter: sign
Validity period of the authentication URL: 1s
The time when the signature calculation server generates the authentication URL: 2020-02-27 16:10:32 (UTC+8). Its decimal integer value after conversion is 1582791032 (timestamp).
Requested origin address: http://www.mixcre.com/test/1.jpg
Generation process
Get authentication parameters:
Parameter
Value
URI
Resource access path, which is /test.jpg.
timestamp
1582791032
rand
Generate a random string: im1acp76sx9sdqe601v
uid
Set it to 0
pkey
dimtm5evg50ijsx2hvuwyfoiu65
Concatenate the signature string: /test.jpg-1582791032-im1acp76sx9sdqe601v-0-dimtm5evg50ijsx2hvuwyfoiu65
Calculate the MD5 value of the signature string: md5hash =md5sum(uri-timestamp-rand-uid-pkey)= md5sum(/test.jpg-1582791032-im1acp76sx9sdqe601v-0-dimtm5evg50ijsx2hvuwyfoiu65) = 3fbb88382c9356b6faaf9d68c7b2ae3a
Generate the authentication URL:http://www.mixcre.com/test/1.jpg?sign=1582791032-im1acp76sx9sdqe601v-0-3fbb88382c9356b6faaf9d68c7b2ae3a
When the client uses the encryption URL for access, if the md5hash value calculated by the CDN server is the same as the md5hash value carried by the access request, which are both 3fbb88382c9356b6faaf9d68c7b2ae3a in this example, the request will pass the authentication; otherwise, the authentication will fail.
Notes
Cache hit rate
For domain names using TypeA authentication mode, the access URL will carry the authentication parameter. When a CDN node caches the resource, the corresponding parameter will be ignored and thus will not affect the cache hit rate.
Note: 
As the authentication parameter will be automatically ignored, the cache keys of the files to be authenticated will be affected, and the priority here is higher than the cache key rules in Cache Configuration > Cache Key Rule Configuration.
For example, the Type A configuration here is as: "Authentication Parameter: sign"; "Authentication Scope: jpg"; then the sign parameter will be automatically ignored for JPG files even though the configuration is as "All Files: Not Ignore" in Cache Configuration -> Cache Key Rule Configuration.
Origin-pull policy
The access format of a domain name with Type A authentication mode enabled is as follows:
 http://DomainName/Filename?sign=timestamp-rand-uid-md5hash
If the CDN node is not hit after successful authentication, it will initiate an origin-pull request, which is in the same format as the access request with the sign parameter retained. The origin server can ignore it or perform authentication again as needed.

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

Field	Description
DomainName	CDN domain.
Filename	Resource access path. During authentication, `Filename` must start with a slash (/).
timestamp	The time when the server generates the authentication URL. It is a positive hex integer Unix timestamp, which is the total number of seconds between 00:00:00, January 1, 1970, UTC time and the URL generation time. Its definition is irrelevant to the time zone.
rand	A random string consisting 0-100 characters ([0-9], [a-z], [A-Z]).
uid	User ID (not in use), which defaults to 0.
md5hash	A string containing 32 characters calculated based on the MD5 algorithm. It is calculated as follows: • `md5hash = md5sum(uri-timestamp-rand-uid-pkey)`. • `uri`: It is the resource access path and must start with a slash (/). • `timestamp`: Its value is the above `timestamp`. • `rand`: Its value is the above `rand`. • `uid`: Its value is the above `uid`. • `pkey`: It can contain 6 to 40 letters and digits. It should be kept private and disclosed to only the client and server.

Parameter	Value
URI	Resource access path, which is `/test.jpg`.
timestamp	1582791032
rand	Generate a random string: `im1acp76sx9sdqe601v`
uid	Set it to `0`
pkey	dimtm5evg50ijsx2hvuwyfoiu65

tencent cloud

Content Delivery Network

TypeA

Algorithm Description

Configuration Directions

Notes

Help and Support