Meridian← Docs
Recipe

Signed URLs for Secure CDN Delivery

Generate time-limited, cryptographically signed download URLs so only paying customers can access your payloads.

Overview

Meridian signs every CDN URL with an Ed25519 keypair. The loader verifies the signature before fetching the payload. Expired or tampered URLs are rejected at the edge — no request ever reaches your origin.

URL Structure

https://cdn.getnimbus.net/d/payload.bin ?exp=1717200000 &sig=8a7f3c9d2e1b...

exp — Unix timestamp expiration. sig — Ed25519 signature over the full URL path + exp.

Verification Flow

  1. Loader receives signed URL from license server.
  2. Extracts path, exp, and sig components.
  3. Checks current time against exp — rejects if expired.
  4. Recomputes Ed25519 signature using embedded public key — rejects on mismatch.
  5. Proceeds with download only if all checks pass.

Key Rotation

Rotate signing keys by embedding multiple public keys in the loader. Each signed URL includes a kid parameter so the loader knows which key to use. Revoke a compromised key by removing it from the next loader update.

Next: Anti-Tamper Bundling →