Expiring URLs

The exp parameter defines a UNIX timestamp (in seconds or milliseconds) after which a URL will become invalid. This allows you to control how long access to a file is permitted, regardless of whether you're using Signed URLs, Encrypted URLs, or regular URLs.

Expiring URLs are especially useful for temporary download links or for revoking access to private files after a user's session has expired within your application.

The exp parameter can be used on its own with any Bytescale URL, or as part of a Signed URL or Encrypted URL.

• When used by itself, the exp parameter acts as a soft access control mechanism. Anyone who has the URL can use it until it expires, but also, it's easy for the user to remove the parameter and bypass the expiration, since the URL is not signed or encrypted.

• When used within a Signed URL, the exp parameter is added to the query string before signing the URL, meaning the parameter cannot be modified by the user.

• When used within an Encrypted URL, the exp parameter is added to the query string before encrypting the URL, meaning the parameter cannot be modified or seen by the user.

The exp value can be provided as a UNIX timestamp in either seconds or milliseconds. The maximum expiration time is 7 days (604800 seconds) from the current time.

• E.g. exp=1712345678 (Unix time in seconds)

• E.g. exp=1712345678123 (Unix time in milliseconds)

• When using sig: add the exp parameter to the query string before generating the HMAC signature. It will be signed as part of the URL.

• When using enc: add the exp parameter to the query string before encrypting. The value will be encrypted and validated server-side after decryption.

• Our code examples for Signed URLs and Encrypted URLs already handle appending the exp parameter for you.

• Security:

  • Short expiration times reduce the attack window in case a URL is leaked or intercepted.

  • When using Signed URLs, a tampered exp value will invalidate the signature.

  • When using Encrypted URLs, the exp value is completely hidden and tamper-proof.

  • When using Encrypted URLs, expired URLs return a generic error—not a “URL expired” message. This is by design: since the expiration time is part of the encrypted data, Bytescale must decrypt the URL before checking if it’s expired. To prevent attackers from learning whether decryption succeeded, all invalid or expired URLs return the same error.

• Performance:

  • To increase cache hits, we recommend using exp values that are rounded to the nearest N seconds.

  • For example, if you round the exp parameter up to the nearest 30 seconds, then each unique file will only have 2 cache misses per minute as opposed to 60 cache misses per minute.