Signed Delivery (Fast Track)
Sign delivery URLs on your own server and skip play sessions entirely. No API round trip, no session token, no
Authorization header — just a URL your listeners can stream immediately.
Best For
Public access
How it compares to play sessions
The Hybrid and Server-Side paths mint a play session — a short-lived, per-listener token created by calling the AudioDN API. That round trip is what lets you enforce entitlements (logins, subscriptions, purchases) at play time.
Signed delivery removes that round trip. You hold a per-organization HMAC secret and sign the delivery URL yourself, so the listener's request goes straight to your delivery domain and is verified at the edge. For public tracks where you don't need per-play authorization, this is the fastest and simplest option.
| Play session (Hybrid / Server-Side) | Signed delivery (this path) | |
|---|---|---|
| API round trip per listener | Yes — mint a session | No — sign locally |
| Per-play authorization | Enforced at session creation | Your responsibility (who gets a link) |
| Best for | Paywalled / gated audio | Public tracks & previews |
| Plays counted for billing | Yes | Yes |
For the full reference — the signature scheme, variant scoping, and reporting details — see the Signing Keys API docs.
Signing & Delivering
Mint a signing key, sign on your server, stream from your delivery domain.
1. Create a URL Signing Key
In the AudioDN dashboard, go to Settings → API Keys and create a URL Signing key. The secret is shown once — store it securely on your server. You can optionally set a signature lifetime (ttl) and restrict the key to specific variants.
2. Find Your Delivery Domain
Every organization gets a dedicated delivery subdomain in the form {organization_id}.audiodelivery.net. Copy yours from Settings → Organization → Delivery Domain. A file's full URL is your delivery domain plus the file's path:
https://1bb2f0c4-....audiodelivery.net/7e4386f0-..../20260709145408659.uSYrzmRWTDvEyjFz_lq.aac 3. Sign the URL on Your Server
Compute an HMAC-SHA256 token over the request path plus the current timestamp, then append it as a verify query parameter. This reference implementation uses the Web Crypto API and runs in Node 18+, Deno, Bun, and Cloudflare Workers:
function base64url(bytes) {
let binary = '';
const b = new Uint8Array(bytes);
for (let i = 0; i < b.byteLength; i++) binary += String.fromCharCode(b[i]);
return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}
async function hmacSha256(key, data) {
const cryptoKey = await crypto.subtle.importKey(
'raw', new TextEncoder().encode(key),
{ name: 'HMAC', hash: 'SHA-256' }, false, ['sign']
);
return new Uint8Array(await crypto.subtle.sign('HMAC', cryptoKey, new TextEncoder().encode(data)));
}
// secret = the URL Signing key secret from the dashboard (keep this server-side)
// domain = your org delivery host, e.g. "1bb2....audiodelivery.net"
// path = the file path, e.g. "folder-id/track-index_lq.mp3"
async function signUrl(secret, domain, path) {
const u = new URL('https://' + domain + '/' + path);
u.searchParams.delete('verify');
const message = u.pathname + (u.search || '');
const issued = Math.floor(Date.now() / 1000).toString();
const mac = await hmacSha256(secret, message + issued);
u.searchParams.append('verify', issued + '-' + base64url(mac)); // verify MUST be last
return u.toString();
} Keep the secret server-side
4. Serve the Signed URL to the Client
// Express example: hand a freshly signed URL to your frontend.
app.get('/api/track-url', async (req, res) => {
const url = await signUrl(
process.env.ADN_SIGNING_SECRET, // never expose this to the client
process.env.ADN_DELIVERY_DOMAIN, // e.g. 1bb2....audiodelivery.net
req.query.path // folder-id/track-index_lq.mp3
);
res.json({ url });
}); The frontend fetches a ready-to-play URL — no key material is exposed.
5. Play It Anywhere a URL Works
A signed URL is just a URL, so it drops straight into a native <audio> element, your own custom player, or a download link.
<!-- The signed URL works anywhere a normal audio URL does. -->
<audio controls src="https://{org}.audiodelivery.net/{file_path}?verify={issued}-{mac}">
</audio> 6. Plays & Reporting
Signed URLs bypass the play session, but your play statistics stay accurate — plays are measured from actual audio delivery on your domain and aggregated hourly. Because every signed request is a real delivery, it counts toward your play usage and billing just like a play-session stream.