Skip to content
Logo PixelFiddler

Transformation Security

Transformation Security controls how media transformations are authenticated and authorized. This security layer protects your transformation endpoints from unauthorized access while allowing legitimate requests to process media.

Transformation security determines who can apply transformations to your media files. It specifically governs the /sources/{sourceId}/media/{filePath} endpoint where image processing occurs.

This includes operations like:

  • Resizing and cropping images
  • Format conversion (JPG to WebP, PNG to AVIF)
  • Quality adjustments
  • Applying effects (blur, brightness, rotation)
  • Adding text overlays and watermarks

Security Levels

Section titled “Security Levels”

Transformation security supports three levels of protection:

TOKEN

Section titled “TOKEN”

Requires a valid JWT access token for all transformation requests.

Use cases:

  • Private applications with user authentication
  • Internal dashboards and admin panels
  • Member-only content platforms

SIGNATURE_OR_TOKEN

Section titled “SIGNATURE_OR_TOKEN”

Accepts either a valid JWT token OR a valid URL signature.

Use cases:

  • Public websites that need to generate secure transformation URLs
  • CDN integration with pre-signed URLs
  • Third-party applications with limited token access

UNSECURED

Section titled “UNSECURED”

No authentication required - transformations are publicly accessible.

Use cases:

  • Public image galleries
  • Open-source projects
  • Development and testing environments

URL Signatures

Section titled “URL Signatures”

When using SIGNATURE_OR_TOKEN level, you can generate signed URLs that provide temporary access without requiring authentication tokens. Read more on how to generate a signature

Best Practices

Section titled “Best Practices”

✅ Recommended

Section titled “✅ Recommended”
  • Use TOKEN level for private applications with user sessions
  • Use SIGNATURE_OR_TOKEN for public websites needing flexible access
  • Set appropriate validity periods - shorter for sensitive content, longer for public assets
  • Rotate keys regularly - consider monthly or quarterly rotation
  • Combine with alias restrictions for maximum control
  • Monitor usage patterns to detect unauthorized access

❌ Avoid

Section titled “❌ Avoid”
  • UNSECURED in production unless truly needed for public access
  • Overly long signature validity - reduces security benefits
  • Sharing private keys - keep them secure and rotate if compromised
  • Mixed security levels without clear purpose