Skip to main content

Authenticated or private images still accessible to anyone with access to the URL



  • Roee Ben Ari

    Hi Terrence,

    Please note that both types, Authenticated and Private, are meant to restrict users from generating resources. Meaning, if you use either of the above types, the end-user would need to know your API Secret (which should be kept confidential) in order to generate (and view) the resource. However, once the resource is created, any user who has the URL can view it. 

    As a side note, when using private images, once the derived resource is created, there's no need to know the signature in order to access it, while when using authenticated images, without the signature, they cannot be accessed. If you'd like, we can tweak your account to omit URLs from upload response JSON.

    More specific restrictions can be performed using a cookie-based authentication. Please read the below documentation for more information:

  • ramon quiusky

    Thank you for the reply - ok maybe you can lead me in the right direction - seeing that once the image asset is created (uploaded) I have a URL that only I would know and no one could guess. So now that I have the image uploaded what is the cloudinary recommended way to get this image asset and show it as a <img> on my website BUT not showing the src="url to image here" this is where I'm confused as to how cloudinary works. I dont want someone to "view source" of web page and be able to get the url of the asset and send anywhere.....

  • Roee Ben Ari

    This is not something we currently support. You can try and hide the src attribute using JS, though note that there are no bulletproof solutions for that out there.


Post is closed for comments.