RenderScreenshot

Signed URLs

Signed URLs allow you to generate secure, expiring screenshot URLs without exposing your API key in public HTML.

How It Works

  1. Generate a signature server-side using your secret key
  2. Include the signature and expiration in the URL
  3. Use the signed URL in public HTML
  4. We verify the signature on each request

Generating Signed URLs

URL Format

https://api.renderscreenshot.com/v1/screenshot?url=...&expires=...&signature=...&public_key=...

Signature Generation

The signature is an HMAC-SHA256 hash of the canonical request:

# Ruby example
require 'openssl'

def sign_url(params, secret_key, expires_at)
  # Sort params alphabetically
  canonical = params.sort.map { |k, v| "#{k}=#{v}" }.join('&')
  canonical += "&expires=#{expires_at.to_i}"

  # Generate signature
  signature = OpenSSL::HMAC.hexdigest('sha256', secret_key, canonical)

  "#{canonical}&signature=#{signature}"
end

JavaScript Example

const crypto = require('crypto');

function signUrl(params, secretKey, expiresAt) {
  const sorted = Object.keys(params).sort();
  const canonical = sorted.map(k => `${k}=${params[k]}`).join('&');
  const message = `${canonical}&expires=${Math.floor(expiresAt.getTime() / 1000)}`;

  const signature = crypto
    .createHmac('sha256', secretKey)
    .update(message)
    .digest('hex');

  return `${message}&signature=${signature}`;
}

Expiration

Signed URLs must include an expiration timestamp. Maximum expiration is 30 days.

{
  "expires": 1735689600
}

Benefits

  • API key never exposed in public HTML
  • URLs expire automatically
  • Cannot be modified (signature verification)
  • Safe for og:image and public embeds

Was this page helpful?