Want some extra security? We got you.


By default, signed URLs aren't necessary. When you add a image source on your dashboard, ImageBoss already act as a safe proxy to your private images, enabling you to deliver your images without exposing the origin of your sources to the internet.

But there are some use-cases where you don't want to allow users to change the original URL or remove any parameters. If you deliver a image with a Watermark you might want to project the real image behind it.

If this is your case, you can enable this feature for your image source on your Dashboard.

Enabling Signed URLs

1) When you are creating or editing a source on your Dashboard (Dashboard ⟶ Sources). At the bottom of your form, check the field "I want extra security. My URLs needs to be signed".
2) A Secret Token will be displayed. This is the secret you need to sign your URLs.

Be careful if your are editing an existing source. If your are already deliverying images to your users with this source make to setup the tokens first. You can just copy your secret and activate it later.

Signing your URLs

In case you are using a language we currently don't have a official client you can still generate your token. It's HMAC SHA-256 token generated based on the PATH of your image URL.


ImageBoss for Ruby
client = 'mysecureimages', secret: '<MY_SECRET>')
image_url = client.path('/images/img01.jpg').operation(:width, width: 100)


Plain Ruby
require 'openssl'
secret = '<YOUR_SECRET>'
imagePath = '/mysecureimages/width/500/01.jpg'
bossToken = OpenSSL::HMAC.hexdigest('sha256', secret, imagePath)


const crypto = require('crypto');
const secret = '<YOUR_SECRET>';
const hmac = crypto.createHmac('sha256', secret);
const imagePath = '/mysecureimages/width/500/01.jpg';
const bossToken = hmac.update(imagePath).digest('hex');


$secret = '<YOUR_SECRET>'
$imagePath = '/mysecureimages/width/500/01.jpg'
$bossToken = hash_hmac('sha256', $imagePath, $secret)

Now all you need to do is add a Query String parameter on your URL called bossToken: