URL signing configuration and signed URL generation.
Signing
URL signing uses HMAC-SHA256 to prevent unauthorized image transforms. When enabled, unsigned URLs can optionally be rejected.
Get signing config
GET /images/projects/{projectId}/signingcurl -H "Authorization: Bearer spronta_img_..." \
https://app.spronta.com/api/images/projects/123e4567-.../signingResponse 200
{
"enabled": true,
"requireSignedUrls": false,
"signingSecret": "spronta_sign_...abcd"
}The signing secret is masked (only first 12 and last 4 chars shown). The full secret is only returned once — when first generated.
Enable or disable signing
POST /images/projects/{projectId}/signing| Field | Type | Description |
|---|---|---|
enabled | boolean | true generates a new secret, false disables signing |
requireSignedUrls | boolean | When true, unsigned CDN URLs return 403 |
Enable signing:
curl -X POST \
-H "Authorization: Bearer spronta_img_..." \
-H "Content-Type: application/json" \
-d '{"enabled": true}' \
https://app.spronta.com/api/images/projects/123e4567-.../signingResponse 200 — Returns the full signing secret (store it securely, shown only once):
{
"enabled": true,
"requireSignedUrls": false,
"signingSecret": "spronta_sign_a1b2c3d4e5f6..."
}Generate a signed URL
PUT /images/projects/{projectId}/signingServer-side signed URL generation. Requires signing to be enabled.
| Field | Type | Required | Description |
|---|---|---|---|
path | string | Yes | Image path (e.g. /my-project/hero.jpg) |
params | object | No | Transform params as key-value strings |
expiresIn | integer | No | Expiration in seconds (60–604800) |
curl -X PUT \
-H "Authorization: Bearer spronta_img_..." \
-H "Content-Type: application/json" \
-d '{
"path": "/my-project/hero.jpg",
"params": {"w": "800", "f": "webp"},
"expiresIn": 3600
}' \
https://app.spronta.com/api/images/projects/123e4567-.../signingResponse 200
{
"url": "/my-project/hero.jpg?exp=1711152000&f=webp&w=800&s=a1b2c3d4...",
"signature": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
"expiresAt": 1711152000
}You can also sign URLs client-side using the SDK:
const url = await spronta.signedUrl("hero.jpg", { width: 800 }, 3600);