Secure Public URLs of Assets
Contentstack provides asset URL security, allowing teams to protect content by restricting public access to asset URLs. When enabled for a stack, assets cannot be accessed directly by their URLs without valid authentication parameters, helping prevent unauthorized retrieval of sensitive or private content.
How To Access Secured Published Assets
To access a secured asset, you must include both a delivery token and an environment name as query parameters in the asset URL.
Example URLs:
- https://assets.contentstack.io/v3/assets/{stack_uid}/{asset_uid}/{asset_version_id}/asset_file_of_pdf.pdf?access_token={delivery_token}&environment={environment_name}
- https://images.contentstack.io/v3/assets/{stack_uid}/{asset_uid}/{asset_version_id}/image_file_name.jpeg?access_token={delivery_token}&environment={environment_name}
Note: Delivery tokens are scoped to environments. Adding the environment parameter strengthens validation by ensuring the asset is authorized in the correct context.
Behavior and Limitations
When secure asset URLs are enabled, the following limitations apply:
- Rich Text Fields (RTE, JSON RTE, and Markdown): Once asset privatization is enabled, these fields would no longer support asset or image insertion using the standard file picker. As a workaround, to include a secured asset, manually append the required authentication parameters to the URL.
Warning: Manually appending the asset URL is not recommended for rich text fields due to maintainability and potential security exposure.
- Image Delivery API Limitations: The overlay transformation parameter does not function with secured assets.
How To Access Draft Assets
To access draft (unpublished) assets, use either an Authtoken or a Management Token with the Content Management APIs.
Note: Delivery tokens work only for published assets and cannot be used to fetch draft versions.
How To Enable Secure Asset URLs
To enable asset URL security for your stack, contact our support team.
Note: Asset security is applied at the stack level. Authenticated users can still download and manage assets directly through the Contentstack web app.
Securing asset URLs adds an additional layer of control and protection for your content.
More articles in "Manage Asset Security"
