undefined | Better HN

0 pointsriedel1y ago0 comments

Is there any advantage over JWT other than one can put the token into the URL itself (which is technically also possible with JWT I guess, with the downside that it will be probably exposed in logs, etc.)?

0 comments

3 comments · 3 top-level

inopinatus1y ago

The signature is verified by the origin bucket/cdn endpoint, so it's in the format used by the applicable public cloud, without depending on any application-specific cookie or bearer values, and with CORS/CSP interactions you can easily reason about.

Signature values could appear in the logs the cloud provider writes, but won't be in your application logs unless you, for example, specifically write out the Location of a 30x redirect (which would be relatively uncommon), and in any case the ephemerality makes them basically uninteresting.

kijin1y ago

Signed URLs work with dumb storage such as Amazon S3 and Google Cloud Storage.

You might want to use JWT to authenticate someone before handing out a signed URL, though.

jacobr11y ago

These came out before JWTs gained broad adoption. They are accomplishing the same technical objective via a different implementation.

j / k navigate · click thread line to collapse