Can I allow access to uploaded images only to authenticated users?

Yes. Cloudinary supports several methods for handling image access control. You can choose the method that best suits your needs:

  • Random public IDs - Cloudinary allows generating random photo ids (URLs) for uploaded photos or setting your own photo IDs. Since the URL is impossible to guess, it will only be available publicly if the owner of the photo can access his image's URL and share it with others. This is a common practice (it's the same way Facebook hosts your images) and is available to all plans.
  • Private images - available for all of our free and paid plans. You can upload images as 'private'. The original images are not available for access by the public. Together with the 'Strict Transformations' mode, you can define certain transformations (e.g., thumbnail) that are available for the public and delivered to your users through a fast CDN. For the less common case of accessing the original images, you can download the images using an authenticated API (bypassing the CDN). More details are available in this blog post:
  • Authenticated images - authenticated originals, as well as its derivatives, will be totally inaccessible using un-signed URLs. Those images will only be delivered against a `API-SECRET` based signed URLs.
    We also support time-based expiring URLs, although this is currently only supported via CloudFront CDN, and for our Advanced plans and higher as it requires a few setup steps on our side and yours. For more information please contact us.
  • Referral based Whitelisting / Blacklisting - This feature is available for our Premium plans only. In addition, a custom CNAME must be set-up for your account for this to work. You need to let us know the domains you want to be whitelisted for your account and following a short manual configuration on our side, any request for access to an image that does not come from a domain on the whitelist will be denied. Likewise any request for access to an image that comes from a domain on the blacklist will be denied.
Have more questions? Submit a request


  • Avatar
    Jyoti Patil

    Thanks for these tips.  We're looking for a way to ensure our images are not accessed outside the mobile app that we are developing . Is there some way of testing the 'authenticated images'  through some demo cloud/site/images that Cloudinary can host, and provide authentication details for test purposes?  That way,  we can develop the app and upgrade to the advanced plan only when the app goes live. 

  • Avatar
    Paolo Cosentino

    So how do I do this in the web?
    You have just talked about all what we can do, but you didn't say how to do it (?)
    I cannot find any option anywhere to make my uploaded images to be private by default.
    Where is the option in the web UI ?

  • Avatar
    Nadav Ofir

    Hi Paolo,
    Check out this documentation about uploading resources with different type preferences:

Powered by Zendesk