Release Notes and Announcements

Release Notes

Security Announcement

Announcements

Product Introduction

Overview

Strengths

Use Cases

Comparison Between EdgeOne and CDN Products

Use Limits

Purchase Guide

Description of Trial Plan Experience Benefits

Free Plan Guide

Billing Overview

Billing Items

Subscriptions

Renewals

Instructions for overdue and refunds

Comparison of EdgeOne Plans

About "clean traffic" billing instructions

DDoS Protection Capacity Description

Getting Started

Choose business scenario

Quick access to website security acceleration

Quick deploying a website with Pages

Domain Service&Origin Configuration

Domain Service

HTTPS Certificate

Origin Configuration

Site Acceleration

Overview

Access Control

Smart Acceleration

Cache Configuration

File Optimization

Network Optimization

URL Rewrite

Modifying Header

Modify the response content

Rule Engine

Image&Video Processing

Speed limit for single connection download

DDoS & Web Protection

Overview

DDoS Protection

Web Protection

Bot Management

API Discovery（Beta）

Edge Functions

Overview

Getting Started

Operation Guide

Runtime APIs

Sample Functions

Best Practices

Pages

L4 Proxy

Overview

Creating an L4 Proxy Instance

Modifying an L4 Proxy Instance

Disabling or Deleting an L4 Proxy Instance

Batch Configuring Forwarding Rules

Obtaining Real Client IPs

Data Analysis&Log Service

Log Service

Data Analysis

Alarm Service

Site and Billing Management

Billing Management

Site Management

Version Management

General Policy

General Reference

Configuration Syntax

Request and Response Actions

Country/region and Corresponding Codes

Terraform

Overview

Installing and Configuring Terraform

Practical Tutorial

EdgeOne Skill User Guide

Automatic Warm-up/Cache Purge

Resource Abuse/hotlinking Protection Practical

HTTPS Related Practices

Acceleration Optimization

Scheduling Traffic

Data Analysis and Alerting

Log Platform Integration Practices

Configuring Origin Servers for Cloud Object Storage (Such As COS)

CORS Response Configuration

API Documentation

History

Introduction

API Category

Making API Requests

Site APIs

Acceleration Domain Management APIs

Site Acceleration Configuration APIs

Edge Function APIs

Alias Domain APIs

Security Configuration APIs

Layer 4 Application Proxy APIs

Content Management APIs

Data Analysis APIs

Log Service APIs

Billing APIs

Certificate APIs

Origin Protection APIs

Load Balancing APIs

Diagnostic Tool APIs

Custom Response Page APIs

API Security APIs

DNS Record APIs

Content Identifier APIs

Legacy APIs

Ownership APIs

Image and Video Processing APIs

Multi-Channel Security Gateway APIs

Version Management APIs

Data Types

Error Codes

FAQs

Product Features FAQs

DNS Record FAQs

Domain Configuration FAQs

Site Acceleration FAQs

Data and Log FAQs

Security Protection-related Queries

Origin Configuration FAQs

Troubleshooting

Reference for Abnormal Status Codes

Troubleshooting Guide for EdgeOne 4XX/5XX Status Codes

520/524 Status Code Troubleshooting Guide

521/522 Status Code Troubleshooting Guide

Tool Guide

Agreements

Service Level Agreement

Origin Protection Enablement Conditions of Use

TEO Policy

Data Processing And Security Agreement

Glossary

Introduction to Token Authentication

PDF

Focus Mode

Font Size

Last updated: 2026-03-19 14:38:01

Overview
Token authentication is a simple and reliable access control strategy that verifies URL access through authentication rules, effectively preventing malicious brushing of site resources. The usage of this function requires the cooperation of the client and EdgeOne. The client is responsible for initiating encrypted URL requests, and EdgeOne is responsible for verifying the legality of the URL based on pre-set rules.
Function principle
The implementation of Token authentication mainly consists of the following two parts:
Client: Initiate the authentication URL request based on the authentication rules (including authentication algorithm, key).
EdgeOne node: Verify the authentication information (MD5 string + timestamp) in the authentication URL. When the verification is passed, the access request will be considered as a valid request, and the node will respond normally. If the verification fails, the node will reject the access and directly return 403.
Token authentication URL generation and verification tool
EdgeOne provides a generation tool and verification tool for Token authentication URLs. Developers can use this tool to quickly and accurately generate and verify anti-leeching URLs that meet the requirements.
Directions
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. On the site details page, click Site Acceleration to enter the global configuration page for the site, then click the Rule Engine tab.
3. On the Rule Engine Management page, click Create rule and select Add blank rule.
4. On the rule editing page, set the matching conditions that trigger this rule.
5. Click Action > Select Box, and select Token authentication in the pop-up operation list. The parameter configuration instructions are as follows:
Parameter
Description
Method
Currently, 5 authentication signature calculation methods are supported. Please choose the appropriate method based on the access URL format. For details, please refer to the authentication method.
Primary key (Required)
The primary password, consisting of 6-40 uppercase and lowercase English letters, numbers and special characters(Except " and $).
Backup key (optional)
The secondary password, consisting of 6-40 uppercase and lowercase English letters, numbers and special characters(Except " and $).
Authentication encryption string
An authentication parameter must be between 1-100 characters and contains letters, numbers and underscores. The parameter value will be authenticated by nodes.
Validity period
Validity period of the authentication URL (1-630720000 seconds). It determines whether a client request is valid:
If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned. 
If the current time does not exceed the "timestamp + valid duration" time, the request is not expired and continues to verify the MD5 string.
Must-knows
1. After Authentication is passed, the node will automatically ignore the Authentication-related parameters in the URL to improve the Cache hit rate and reduce the amount of origin-pull.
2. The origin-pull request URL cannot contain any Chinese characters.

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

Parameter	Description
Method	Currently, 5 authentication signature calculation methods are supported. Please choose the appropriate method based on the access URL format. For details, please refer to the authentication method.
Primary key (Required)	The primary password, consisting of 6-40 uppercase and lowercase English letters, numbers and special characters(Except `"` and `$`).
Backup key (optional)	The secondary password, consisting of 6-40 uppercase and lowercase English letters, numbers and special characters(Except `"` and `$`).
Authentication encryption string	An authentication parameter must be between 1-100 characters and contains letters, numbers and underscores. The parameter value will be authenticated by nodes.
Validity period	Validity period of the authentication URL (1-630720000 seconds). It determines whether a client request is valid: If the time "timestamp + validity period" is reached, the request is considered expired and a 403 is returned. If the current time does not exceed the "timestamp + valid duration" time, the request is not expired and continues to verify the MD5 string.

tencent cloud

Tencent Cloud EdgeOne

Introduction to Token Authentication

Overview

Function principle

Token authentication URL generation and verification tool

Directions

Must-knows

Help and Support