Signed URLs

When generating image URLs from your server, you can generate a signed (secure) image URL using your ImageKit.io private key. Signing adds additional query parameters to the image URL, which restrict altering the image transformation from the URL.

When generating signed URLs, use the private key available within the Developer section on the dashboard. Signing the URLs adds additional query parameters to ensure that image transformations cannot be altered from the URL. If a third party tries to modify the image transformation or the image URL, or use it beyond its intended expiry time, the request would return a 401 Unauthorised status code because of a signature mismatch.

A signed URL would be similar to :

https://ik.imagekit.io/your_imagekit_id/path-to-image.jpg?ik-s='generatedURLsignature&ik-t='UTCtimestamp'

Generating Signed URLs

ImageKit.io provides two methods of generating signed URLs for your images:

  1. Implementing the URL generation and signature logic on your own.

  2. Using SDK.

Generating Signed URLs on your own

Append the following strings:

  1. Your ImageKit ID

  2. The complete transformation string without tr: in the beginning.

  3. The UTC timestamp in seconds to set the expiry of the URL. If you do not want the URL to expire, set the value as 9999999999.

  4. Image Key, which is the image URL without the URL pattern and the transformation string. It should include all the query parameters except the signature related query parameters - ik-s  and ik-t (explained below).

For eg: If the image URL is - https://ik.imagekit.io/demo/tr:h-100,w-100:rt-90/files/image.jpg?version=1

Then it can be broken down into the following parts:

  • ImageKit ID - demo

  • Transformation string - h-100,w-100:rt-90

  • UTC Timestamp - <defined by you while generating the signature>

  • Image path - files/image.jpg?version=1

The UTC timestamp is used to set the expiry date/time of an image URL. If you want the URL to expire on 24th July 2022 at 23:59:59, the UTC timestamp for this date is 1658534399.

Once you append the strings, create an HMAC-SHA1 signature for the appended string using your private key as your key.

Generate hex digest of the above and attach it to the URL as a query parameter named ik-s .

If you used a UTC timestamp (other than the default 9999999999) to set the expiry time while calculating the hash, add it to the URL as a query parameter named ik-t.