A tokenized (or signed) URL embeds a cryptographic token - usually encoding an expiry time and sometimes the viewer's IP or geo - that the CDN validates before serving content. It is a lightweight access control that stops people from sharing or hotlinking media URLs, complementing DRM with delivery-layer authorization.
The catch for caching is the cache key: if the per-user token becomes part of the key, every viewer's request looks unique and nothing caches. The standard fix is to validate the token at the edge but exclude it from the cache key, so authorization stays per-user while the underlying segment stays a single shared, cacheable object.
