TypeScript icon, indicating that this package has built-in type declarations

3.0.2 • Public • Published

AWS CloudFront URL Signature Utility

Build Status npm version


The AWS SDK for JavaScript has added support for generating signed URLs and Cookies. Please see Class: AWS.CloudFront.Signer

Generating signed URLs for CloudFront links is a little more tricky than for S3. It's because signature generation for S3 URLs is handled a bit differently than CloudFront URLs and this functionality is not currently supported by the aws-sdk library for JavaScript. In case you also need to do this, I've created this simple utility to make things easier.



  • Node.js >=18
  • Active CloudFront distribution with origin configured

Configuring CloudFront

  1. Create a CloudFront distribution

  2. Configure your origin with the following settings:

    Origin Domain Name: {your-s3-bucket} Restrict Bucket Access: Yes Grant Read Permissions on Bucket: Yes, Update Bucket Policy

  3. Create CloudFront Key Pair. more info


npm install aws-cloudfront-sign


import { SignatureOptions } from 'aws-cloudfront-sign/types'

Upgrading from 2.x to 3.x

  • There shouldn't be any breaking changes when coming to 3.x. RTMP URLs were deprecated by Amazon but that will affect all versions.
  • Support for ES Modules was added
  • Support for TypeScript was added

Upgrading from 1.x to 2.x

  • expireTime now takes it's value as milliseconds, Date, or moment instead of seconds.


getSignedUrl(url, options)

  • @param {String} url - Cloudfront URL to sign
  • @param {Object} options - URL signature options
  • @return {String} signedUrl - Signed CloudFrontUrl

getSignedCookies(url, options)

  • @param {String} url - Cloudfront URL to sign
  • @param {Object} options - URL signature options
  • @return {Object} cookies - Signed AWS cookies

getSignedRTMPUrl(domainName, s3key, options)

⛔️ Deprecated: RTMP Support Discontinuing on December 31, 2020

  • @param {String} domainName - Domain name of your Cloudfront distribution
  • @param {String} s3key - Path to s3 object
  • @param {Object} options - URL signature options
  • @return {Object} url.rtmpServerPath - RTMP formatted server path
  • @return {Object} url.rtmpStreamName - Signed RTMP formatted stream name


  • expireTime (Optional - Default: 1800 sec == 30 min) - The time when the URL should expire. Accepted values are

    • number - Time in milliseconds (new Date().getTime() + 1800000)
    • moment - Valid momentjs object (moment().add(1, 'day'))
    • Date - Javascript Date object (new Date(2016, 0, 1))
  • ipRange (Optional) - IP address range allowed to make GET requests for your signed URL. This value must be given in standard IPv4 CIDR format (for example,

  • keypairId - The access key ID from your Cloudfront keypair

  • privateKeyString || privateKeyPath - The private key from your Cloudfront keypair. It can be provided as either a string or a path to the .pem file. Note: When providing the private key as a string, ensure that the newline character is also included.

    const privateKeyString =
      '-----BEGIN RSA PRIVATE KEY-----\n'
      '-----END RSA PRIVATE KEY-----'

    Also, here are some examples if prefer to store your private key as a string but within an environment variable.

    # Local env example
    CF_PRIVATE_KEY="$(cat your-private-key.pem)"
    # Heroku env
    heroku config:set CF_PRIVATE_KEY="$(cat your-private-key.pem)"


Creating a signed URL

By default the URL will expire after half an hour.

// ESM: import { getSignedUrl } from 'aws-cloudfront-sign'
const cf = require('aws-cloudfront-sign')
const options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
const signedUrl = cf.getSignedUrl('', options);
console.log('Signed URL: ' + signedUrl);

Creating signed cookies

// ESM: import { getSignedCookies } from 'aws-cloudfront-sign'
const cf = require('aws-cloudfront-sign')
const options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
const signedCookies = cf.getSignedCookies('*', options);

// You can now set cookies in your response header. For example:
for(var cookieId in signedCookies) {
 res.cookie(cookieId, signedCookies[cookieId]);

Package Sidebar


npm i aws-cloudfront-sign

Weekly Downloads






Unpacked Size

34.8 kB

Total Files


Last publish


  • jasonsims