Knowledge Base

« Object Store Feature Docs

Objectstore TempURL How-To

The TempURL plugin allows the creation of an URL for an object in a Private container that allows access for a limited time.

With a time-limited-access to an otherwise private object, websites can present a link to an object that downloads directly from the Object Store elimininating the need for the website to act as a proxy. It also limits exposure to that object to the expiration time set when the link was created, in case someone accidentally  posts the link on a forum etc.

The first part of this How-To explains the steps from a coding point of view, using the command line, the API and a programming language of choice. At the end we will show how to to accomplish the same with our CloudVPS Interface.

Setup the X-Account-Meta-Temp-URL-Key

First an X-Account-Meta-Temp-URL-Key header must be set on the Swift account (OpenStack project).
This can be done via the commandline,  a library for the programming language you use, or the CloudVPS Interface. Before we start we will need the ProjectID, an Auth-Token (we must have a active login) and a long random string that will act as our secret when we create the TempURL link to an object.

Say our Token = 'a0a0a0a0a0a0a0a0a0a0a0a0a0a0a'
and our ProjectID = 'abcd010abcd010abcd010abcd010'
and our secret = 'Hrq65olI0ScXHLwD6gwdp7emgOSqcX'

Then our HTTP Request should resemble:

X-Auth-Token: a0a0a0a0a0a0a0a0a0a0a0a0a0a0a
X-Account-Meta-Temp-Url-Key: Hrq65olI0ScXHLwD6gwdp7emgOSqcX

In cURL you could write this as:

curl -X POST -H 'X-Auth-Token: a0a0a0a0a0a0a0a0a0a0a0a0a0a0a' \
-H 'X-Account-Meta-Temp-Url-Key: Hrq65olI0ScXHLwD6gwdp7emgOSqcX' \

Generate the TempURL

A TempURL has is the path to the object with to Query Parameters: temp_url_sig and temp_url_expire, so a link to an object should resemble:


The HMAC-SHA1 (RFC 2104) signature is calculated using the HTTP Method to allow (GET or PUT) the Unix timestamp the link should expire, the full path to the object, and the X-Account-Meta-Temp-URL-Key set on the account.  Note that the timestamp should be in UTC.

To generate the signature for a GET link that will expire in 5 minutes to an object with url one could do:


expires=$(( $(date '+%s') + 300 ))

sig=`printf '%s\n%s\n%s' $method $expires $_path  | openssl sha1 -hmac $key`


import hmac
from hashlib import sha1
from time import time

method = 'GET'
expires = int(time() + 300)
path = '/container/object'
key = 'Hrq65olI0ScXHLwD6gwdp7emgOSqcX'

hmac_body = '%s\n%s\n%s' % (method, expires, path)
sig =, hmac_body, sha1).hexdigest()


$method = 'GET';
$expires = intval(time() + 300);
$path = '/container/object';
$key = 'Hrq65olI0ScXHLwD6gwdp7emgOSqcX';

$hmac_body = "$method\n$expires\n$path";
$sig = hash_hmac('sha1', $hmac_body, $key);


require "openssl";
method = 'GET'
expires = ( + 300).to_i
path = '/container/object'
key = 'Hrq65olI0ScXHLwD6gwdp7emgOSqcX'

hmac_body =
sig = OpenSSL::HMAC.hexdigest("sha1", key, hmac_body)

note about the path

If you are using the internal url syntax to the object, say:
make sure the path variable is the full path, including the version indicator:
path = '/v1/AUTH_abcd010abcd010abcd010abcd010/container/object'

if the HMAC signature generates:  8103c09e0425329b2d4f2b3494e466354b4e22ad  and the expiration timestamp =  1370358581, the full url should be something like:

With GET TempURLs, a Content-Disposition header will be set on the response so that browsers will interpret this as a file attachment to be saved. The filename chosen is based on the object name, but you can override this with a filename query parameter.  Note that the filename is not signed, so the url could be appended with the filename parameter:

Key Management

TempURL supports up to two keys, specified by X-Account-Meta-Temp-URL-Key and X-Account-Meta-Temp-URL-Key-2. Signatures are checked against both keys, if present. This is to allow for key rotation without invalidating all existing temporary URLs.

Note that changing either X-Account-Meta-Temp-URL-Key or X-Account-Meta-Temp-URL-Key-2 will invalidate any previously generated temporary URLs signed with that key within 60 seconds. It is not instantaneous.

openstack developer URL:


Using The CloudVPS Interface

To set the X-Account-Meta-Temp-Url-Key In the CloudVPS Interface click on the Project Options icon and fill the Meta-data.

If the X-Account-Meta-Temp-URL-Key is set, the interface will detect this and present a link to the TempURL editor in the Object information section (click on the container, then on the object) :

This wil open a dialogue where you can set the paremeters for the tempurl.

After setting the date and time, hit the "Generate Temp URL" button and the link will be generated, which should resemble:

VPS Bestellen
VPS Bestellen