-
Notifications
You must be signed in to change notification settings - Fork 15
Signed URLs & Sharing
Temp edited this page Feb 11, 2026
·
2 revisions
Guide to generating secure, shareable download links for your R2 files.
Signed URLs allow you to share files with others without requiring them to log in or have direct access to your R2 buckets.
Key Benefits:
- ✅ No authentication required to download
- ✅ Tamper-proof signatures prevent unauthorized access
- ✅ Easy to share via email, chat, or messaging apps
- ✅ Links remain valid indefinitely
- ✅ Full control over which files are shared
Signed URLs use HMAC-SHA256 signatures to prevent tampering:
URL: /api/files/bucket/download/file.pdf?ts=1234567890&sig=abc123
Components:
├── Path: /api/files/bucket/download/file.pdf
├── Timestamp: ts=1234567890 (ensures uniqueness)
└── Signature: sig=abc123 (validates authenticity)
- URL received - Someone clicks your shared link
- Path extracted - Server extracts file path from URL
- Signature recalculated - Server recalculates expected signature
- Validation - Actual signature compared to expected signature
- Download allowed - If signatures match, file is served
If someone modifies the URL:
- Changing the file path breaks the signature
- Changing the timestamp breaks the signature
- The server rejects requests with invalid signatures
- Download is denied with 403 Forbidden
The easiest way to generate and copy a signed URL:
- Open a bucket in Grid View (default)
- Hover your mouse over a file card
- Click the 🔗 Link icon in the top-right corner
- The signed URL is automatically copied to your clipboard
- Paste it anywhere to share
For List View display:
- Switch to List View (click List icon in toolbar)
- Find the file in the list
- Click Copy Link button in the Actions column
- The signed URL is automatically copied to your clipboard
- Paste it anywhere to share
curl https://YOUR_DOMAIN/api/files/my-bucket/signed-url/myfile.pdfResponse:
{
"success": true,
"url": "https://your-domain.com/api/files/my-bucket/download/myfile.pdf?ts=1234567890&sig=abc123"
}For files with special characters, URL-encode the filename:
curl https://YOUR_DOMAIN/api/files/my-bucket/signed-url/my%20file%20(v2).pdf- Generate signed URL
- Include in email body:
Click here to download: https://your-domain.com/api/files/... - Send to recipient
- Recipient clicks link to download
- Generate signed URL
- Paste directly in message:
@user here's the file you asked for: https://your-domain.com/api/files/... - Recipients can click link
- No authentication required
- Generate signed URL
- Add to documentation or README
- Users can click link to download
- Useful for sharing resources, datasets, manuals
- Generate signed URLs for files
- Add links to your website
- Visitors can download without logging in
- Great for white papers, case studies, templates
- Duration: Links remain valid indefinitely
- Expiration: No automatic expiration
- Revocation: Delete the file to revoke access
- Per-file: Each file gets unique signatures
- Timestamps: Include current timestamp for uniqueness
- Regeneration: Generating new URL creates different link (different timestamp, different signature)
- Typical length: 100-150 characters
- Encoding: URL-safe characters only
- Compressible: Can be shortened with URL shorteners
DO:
- Generate new URLs for each sharing scenario
- Review recipient list before sharing
- Use in secure communication channels (HTTPS)
- Monitor signed URLs in logs
- Delete files after sharing if temporary
Example - Secure Sharing:
1. Generate signed URL
2. Send via HTTPS (email, Slack, Teams)
3. Share with specific individuals
4. Delete file after deadline
DON'T:
- Share URLs in unencrypted channels (plain HTTP, unencrypted email)
- Post URLs in public forums or social media
- Share with broad audiences unless necessary
- Leave old signed URLs active indefinitely
- Share sensitive files without reviewing contents
Example - Risky Sharing:
❌ Post on public GitHub: https://your-domain.com/api/files/my-bucket/download/secret.pdf
❌ Post on public Slack channel with lots of viewers
❌ Leave URL in shared documents indefinitely
1. Upload report.pdf to bucket
2. Generate signed URL
3. Send to team members
4. They download and review
5. File remains in bucket for archive
1. Upload temp-data.csv to bucket
2. Generate signed URL
3. Share with external partner
4. Partner downloads file
5. Delete file after deadline
6. URL no longer works (file deleted)
1. Upload template.docx to bucket
2. Generate signed URL
3. Add to website/documentation
4. Thousands of users can download
5. All using same signed URL
6. No rate limiting concerns
1. Upload dataset.json to bucket
2. Generate signed URL
3. Use in API endpoint
4. Clients call: GET /api/download?file=dataset.json
5. Backend redirects to signed URL
6. Client downloads file
Problem: "403 Forbidden" or "Invalid signature" error
Solutions:
- Check URL wasn't modified
- Verify file still exists in bucket
- Check bucket name is correct
- Try regenerating URL
- Look for special characters in filename
Problem: URL is very long, hard to share
Solutions:
- Use URL shortener (bit.ly, tinyurl.com)
- Embed in QR code
- Put in button on website
- Send as email attachment with link
Problem: "Copy to clipboard" doesn't work
Solutions:
- Check browser clipboard permissions
- Try manual copy (Ctrl+C)
- Try different browser
- Check browser console for errors
- Use API method instead
Problem: "File not found" or "404 error"
Solutions:
- Verify file exists in bucket
- Check bucket name is correct
- Check file path in URL
- Make sure sender didn't delete file
- Try regenerating signed URL
See the API Reference for complete documentation:
Signed URLs respect R2's rate limits:
- Standard API limits apply
- No additional rate limiting per URL
- Safe to share widely
Downloads via signed URLs:
- Use standard egress pricing
- Benefit from Cloudflare's zero egress (free)
- Cost same as any other download method
Track downloads via Worker logs:
- Enable logging to see download requests
- Monitor via Cloudflare dashboard
- Analyze patterns and usage
Next Steps:
- Learn about File Operations
- Explore the API Reference
- Check Troubleshooting if you encounter issues
- Home - Documentation overview
- Quick Start Guide - Get up and running in minutes
- Installation & Setup - Complete deployment guide
- Configuration Reference - Environment variables and settings
- Upgrade Guide - Database schema migrations
- Bucket Management - Create, rename, delete buckets
- Object Lifecycles - Automate expiration and IA transitions ⭐ NEW
- Local Uploads - Faster uploads via nearby edge storage ⭐ NEW
- Job History - Track bulk operations with audit trail ⭐ NEW
- Webhooks - Configure HTTP notifications for events ⭐ NEW
- AI Search - Semantic search with Cloudflare AI
- S3 Import - Migrate from AWS S3 to R2 ⭐ NEW
- Cross-Bucket Search - Search across all buckets with filters
- File Operations - Upload, download, move, copy, delete files
- Folder Management - Organize files hierarchically
- Signed URLs & Sharing - Generate secure shareable links
- Advanced Filtering - Filter by extension, size, and date
- Development Guide - Local setup and development workflow
- API Reference - Complete endpoint documentation
- Architecture Overview - Technical stack and design
- Authentication & Security - Zero Trust implementation
- JWT Validation - JWT token validation and verification
- Troubleshooting - Common issues and solutions
- FAQ - Frequently asked questions
- Roadmap - Planned features and enhancements