Can I allow access to uploaded images only to authenticated users?

Yes. Cloudinary supports several methods for handling image access control. You can choose the method that best suits your needs:

  • Random public IDs - Cloudinary allows generating random photo ids (URLs) for uploaded photos or setting your own photo IDs. Since the URL is impossible to guess, it will only be available publicly if the owner of the photo can access his image's URL and share it with others. This is a common practice (it's the same way Facebook hosts your images) and is available to all plans.
  • Private images - available for all of our free and paid plans. You can upload images as 'private'. The original images are not available for access by the public. Together with the 'Strict Transformations' mode, you can define certain transformations (e.g., thumbnail) that are available to the public and delivered to your users through a fast CDN. For the less common case of accessing the original images, you can download the images using an authenticated API (bypassing the CDN). More details are available in this blog post:
  • Authenticated images - authenticated originals, as well as its derivatives, will be totally inaccessible using unsigned URLs. Those images will only be delivered against an `API-SECRET` based signed URLs.
    We also support time-based expiring URLs, which is now supported via our Akamai CDN, available for our Pro plans and higher (as it requires a few setup steps on our side and yours). For more information please contact us.
  • Referral based Whitelisting / Blacklisting - This feature is available for our Premium plans only. In addition, a custom CNAME must be set-up for your account for this to work. You need to let us know the domains you want to be whitelisted for your account and following a short manual configuration on our side, any request for access to an image that does not come from a domain on the whitelist will be denied. Likewise, any request for access to an image that comes from a domain on the blacklist will be denied.
Have more questions? Submit a request


  • Avatar
    Jyoti Patil

    Thanks for these tips.  We're looking for a way to ensure our images are not accessed outside the mobile app that we are developing . Is there some way of testing the 'authenticated images'  through some demo cloud/site/images that Cloudinary can host, and provide authentication details for test purposes?  That way,  we can develop the app and upgrade to the advanced plan only when the app goes live. 

  • Avatar
    Paolo Cosentino

    So how do I do this in the web?
    You have just talked about all what we can do, but you didn't say how to do it (?)
    I cannot find any option anywhere to make my uploaded images to be private by default.
    Where is the option in the web UI ?

  • Avatar
    Nadav Ofir

    Hi Paolo,
    Check out this documentation about uploading resources with different type preferences:

  • Avatar

    Which plan is Premium? Is it any paid plan?

  • Avatar
    Ido Bar-Noam

    Our premium (or enterprise) plan is indeed a paid plan. Since it is fully customizable and tailored to the user's needs, you could contact us in the link below letting us you are interested in that plan, and we will get back to you.

Powered by Zendesk