Expiring URL

S4m123 Member Posts: 1
edited November 2023 in Developer APIs

I'm trying to generate a url for an image when a user visits a page, and genreate a signed url with an expiry time. (node/express)

However, when i refresh the page, the URL is the same, and the image isn't expiring and is accessible seemingly forever?

These images are data sensitive, and I require the URL generated on page load to only be accessible for the user authenticated user, for say 30 seconds, then a new expires_at url generated every time they visit the page.

At the moment, the exact same URL is being generated when the user views the page, indicating the the expires_at isn't being set in the URL - i'm on the free plan for now in development

Is my approach wrong here? I'm brand new to this:

function generateSecureURL(publicId) {

  const currentTimeInSeconds = Math.floor(Date.now() / 1000);

  const expiryTimeInSeconds = 5; // Set expiration time to 5 seconds

  const expirationTimestamp = currentTimeInSeconds + expiryTimeInSeconds;

  const url = cloudinary.url(publicId, {

    type: 'authenticated',

    sign_url: true,

    secure: true,

    expires_at: expirationTimestamp // Set expiration time as a UNIX timestamp


  return url;



  • DannyFromCloudinary
    DannyFromCloudinary Member, Cloudinary Staff Posts: 102

    Hey @S4m123 - thanks for getting in touch!

    expires_at is actually a parameter for private assets (rather than authenticated) when you want to download them using the private_download_url() utility method. The docs are available here if you wanted to have a further read. When you pass this to cloudinary.url() it actually just gets ignored. When I run the following, I get the same URL regardless of if I provide an expires_at or not:

    const url = cloudinary.url("authenticated_cat", {
        type: 'authenticated',
        sign_url: true,
        secure: true,
        expires_at: 1699543800 //Thursday, 9 November 2023 15:30:00
    console.log(url); //https://res.cloudinary.com/dannyv/image/authenticated/s--01LhXLo8--/authenticated_cat

    If you wanted to provide time-limited access in the browser instead, I would recommend either token-based authentication, which is a paid feature, or providing access times upon upload.

    I hope this helps! Please let us know if you have any further questions.

    All the best,