Signed URLs

Signed URLs provide a neat way to generate URLs with a hash signature appended to them. The hash ensures that the generated URL is not modified or tampered with.

The makeSignedUrl accepts the same set of arguments accepted by the Route.makeUrl method. So make sure to read the docs for Route.makeUrl as well.

For example:

Route.makeSignedUrl('verifyEmail', {
email: '[email protected]',
// /verify/[email protected]?signature=eyJtZXNzYWdlIjoiL3ZlcmlmeS9mb29AYmFyLmNvbSJ9.Xu-a0xu_E4O0sJxeAhyhUU5TVMPtxHGNz4bY9skxqRo

The signature appended to the URL is generated from the complete URI string. Changing any portion of the URL will result in an invalid signature.

Verifying signature

The route for which you generated the signed URL can verify the signature using the request.hasValidSignature() method.

Route.get('/verify/:email', async ({ request }) => {
if (request.hasValidSignature()) {
return 'Marking email as verified'
return 'Signature is missing or URL was tampered.'

Expiring Signed URLs

By default, the signed URLs live forever. However, you can add expiry to them at the time of generating one.

email: '[email protected]',
expiresIn: '30m',

Using the URL builder

You can also make use of the URL builder to generate signed URLs.

.params({ email: '[email protected]' })
.makeSigned('verifyEmail', { expiresIn: '30m' })