A signed URL is a normal URL with extra query parameters: a signature (HMAC over the path, expiry, allowed IPs and other policy), an expiry timestamp, and sometimes a key identifier. The CDN edge verifies the signature before serving — if valid and unexpired, the request goes through; if not, 403 Forbidden. The signing happens on the application server using a shared secret with the CDN, so no per-request round-trip to a license server is needed; the edge can validate signatures cryptographically with its locally-cached secret.
Every major CDN supports signed URLs: CloudFront with its key-pair model, Akamai with its EdgeAuth tokens, Cloudflare with its signed URL workers, Fastly with VCL-level signing. The exact query parameter names differ but the pattern is identical. Typical policy includes: expiry (e.g. 4 hours from now), IP allowlist (this URL is only valid from this client IP — useful for preventing link sharing), and key rotation.
For streaming, signed URLs typically appear on manifests rather than individual segments. The player fetches a signed manifest, and the manifest contains either unsigned segment URLs (relying on path obscurity and CDN-level controls) or signed segment URLs (more secure but harder to cache). The choice affects cache hit ratio — signed segment URLs with per-session signatures destroy cache effectiveness. Best practice in 2026 is signed manifests + segment-level cache keys ignoring the signing query parameters.
