How to Use Secure Token

Merlin Secure Token allows you to secure your content by using a unique hash code. This code will help you authorize connections. It only works on static distributions. 

To be able to use this feature, follow the steps below:


1. Go to the distributions page by clicking on the sidebar. 

2. Click on the static distribution, wanted to be secured with a token. 


3. Go to the Page Rules section. 


4. Select the relevant Page Rule. 


5. Scroll down to the Secure Token section. 

6. Select Yes from the dropdown menu. 

Now, you have enabled the Secure Token Policy. 


Now, you will see two new input areas: Add Client IP on Token Generation and Secret. 

7. The first one, Add Client IP on Token Generation allows you to create links that will only be accessible from the IP addresses of the client who generated the link, only if selected Yes from the dropdown menu.  


8. The second one, Secret is used in the token generation. It is an alphanumeric string which means it can only contain letters or numbers.  

9. Click on the Update Page Rule button.

Now, you should generate the secure token links and include them on your website for secure access. The link generation code is below: 

using System; 
using System.Collections.Generic; 
using System.Linq; 
using System.Security.Cryptography; 
using System.Text; 
using System.Threading.Tasks; 
using System.Web; 
namespace Security 

    public class TokenGenerator 
        public static string CreateSecureLink(string url, string clientip, long second, string secret) 
            Encoding enc = Encoding.ASCII; 
            DateTime epochTime = newDateTime(1970, 1, 1, 0, 0, 0, DateTimeKind.Utc); 
            TimeSpan span = (DateTime.Now.AddSeconds(second).ToUniversalTime() -epochTime); 
            string timestr = span.TotalSeconds.ToString("0"); 
            if(clientip== null) 
                clientip= ""; 
            Uri uri = newUri(url); 
            string key = secret + uri.AbsolutePath + timestr + clientip; 
            MD5CryptoServiceProvider md5Hasher = new MD5CryptoServiceProvider(); 
            Byte[] hashedDataBytes = md5Hasher.ComputeHash(enc.GetBytes(key)); 
            string hash = Convert.ToBase64String(hashedDataBytes, 0, hashedDataBytes.Length); 
            hash = hash.Replace('+', '-').Replace('/', '_').Replace("=", ""); 
            string returnurl = AddQuerryParameter2URL(url, "st", hash); 
            returnurl = AddQuerryParameter2URL(returnurl, "e", timestr); 
            return returnurl; 
        public static string AddQuerryParameter2URL(string url, string parameter, string value) 
            string seperator = "?"; 
            if (url.Contains('?')) 
                seperator= "&"; 
            return url + seperator + HttpUtility.UrlEncode(parameter) + "=" + HttpUtility.UrlEncode(value); 

Secured Link supposed to be in this format:{path}?st={secureToken}&e={expire} 


On this example: 

Secure Token aQzw9y-dWC-A2xssn3eQ 
Path resize/1000x622/d4a84822-ee8f-405a-656e-08d968514b.jpg 
Expire 1656550447 


To check the produced links, you can use the following code block: 

echo -n '$secret$path$expire' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d = 

For example: 

echo -n 'LL9U5SwiJVuyqzdGXpAPG1eIdFV/resize/500x374/fecb0ef6-dad8-4656-2b57-08d9cfb4e.jpg1640855540' | openssl md5 -binary | openssl base64 | tr +/ -_ | tr -d = 

In this example: 

Secret LL9U5SwiJVuyqzdGXpAPG1eIdFV
Path /resize/500x374/fecb0ef6-dad8-4656-2b57-08d9cfb4e.jpg 
Expire 1640855540 


Was this article helpful?
0 out of 0 found this helpful



Please sign in to leave a comment.