Launch Sale: Creator and Business plans are discounted for a limited time. View pricing

Signed Delivery (Fast Track)

Sign delivery URLs on your own server and skip play sessions entirely. No API round trip, no session token, no Authorization header — just a URL your listeners can stream immediately.

Best For

Public catalogs, marketing sites, previews, and any track you're comfortable serving to anyone with the link. Setup takes about 20 minutes.

Public access

Anyone with a validly signed URL can stream the file until the signature expires. Always sign on your server, choose a sensible signature lifetime, and delete keys you no longer use. Every signed request counts toward play usage and billing.

How it compares to play sessions

The Hybrid and Server-Side paths mint a play session — a short-lived, per-listener token created by calling the AudioDN API. That round trip is what lets you enforce entitlements (logins, subscriptions, purchases) at play time.

Signed delivery removes that round trip. You hold a per-organization HMAC secret and sign the delivery URL yourself, so the listener's request goes straight to your delivery domain and is verified at the edge. For public tracks where you don't need per-play authorization, this is the fastest and simplest option.

Play session (Hybrid / Server-Side) Signed delivery (this path)
API round trip per listener Yes — mint a session No — sign locally
Per-play authorization Enforced at session creation Your responsibility (who gets a link)
Best for Paywalled / gated audio Public tracks & previews
Plays counted for billing Yes Yes

For the full reference — the signature scheme, variant scoping, and reporting details — see the Signing Keys API docs.

Signing & Delivering

Mint a signing key, sign on your server, stream from your delivery domain.

1. Create a URL Signing Key

In the AudioDN dashboard, go to Settings → API Keys and create a URL Signing key. The secret is shown once — store it securely on your server. You can optionally set a signature lifetime (ttl) and restrict the key to specific variants.

2. Find Your Delivery Domain

Every organization gets a dedicated delivery subdomain in the form {organization_id}.audiodelivery.net. Copy yours from Settings → Organization → Delivery Domain. A file's full URL is your delivery domain plus the file's path:

https://1bb2f0c4-....audiodelivery.net/7e4386f0-..../20260709145408659.uSYrzmRWTDvEyjFz_lq.aac

3. Sign the URL on Your Server

Compute an HMAC-SHA256 token over the request path plus the current timestamp, then append it as a verify query parameter. This reference implementation uses the Web Crypto API and runs in Node 18+, Deno, Bun, and Cloudflare Workers:

function base64url(bytes) {
  let binary = '';
  const b = new Uint8Array(bytes);
  for (let i = 0; i < b.byteLength; i++) binary += String.fromCharCode(b[i]);
  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
}

async function hmacSha256(key, data) {
  const cryptoKey = await crypto.subtle.importKey(
    'raw', new TextEncoder().encode(key),
    { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']
  );
  return new Uint8Array(await crypto.subtle.sign('HMAC', cryptoKey, new TextEncoder().encode(data)));
}

// secret = the URL Signing key secret from the dashboard (keep this server-side)
// domain = your org delivery host, e.g. "1bb2....audiodelivery.net"
// path   = the file path, e.g. "folder-id/track-index_lq.mp3"
async function signUrl(secret, domain, path) {
  const u = new URL('https://' + domain + '/' + path);
  u.searchParams.delete('verify');

  const message = u.pathname + (u.search || '');
  const issued = Math.floor(Date.now() / 1000).toString();

  const mac = await hmacSha256(secret, message + issued);
  u.searchParams.append('verify', issued + '-' + base64url(mac)); // verify MUST be last

  return u.toString();
}

Keep the secret server-side

The signing secret must never reach the browser. If it does, anyone can mint URLs for your audio. Sign in a backend route and return only the finished URL to the client.

4. Serve the Signed URL to the Client

// Express example: hand a freshly signed URL to your frontend.
app.get('/api/track-url', async (req, res) => {
  const url = await signUrl(
    process.env.ADN_SIGNING_SECRET,      // never expose this to the client
    process.env.ADN_DELIVERY_DOMAIN,     // e.g. 1bb2....audiodelivery.net
    req.query.path                       // folder-id/track-index_lq.mp3
  );
  res.json({ url });
});

The frontend fetches a ready-to-play URL — no key material is exposed.

5. Play It Anywhere a URL Works

A signed URL is just a URL, so it drops straight into a native <audio> element, your own custom player, or a download link.

<!-- The signed URL works anywhere a normal audio URL does. -->
<audio controls src="https://{org}.audiodelivery.net/{file_path}?verify={issued}-{mac}">
</audio>

Using the ADN Player component?

The Player component authenticates with a Client-Side API key or a play-session-id rather than a pre-signed URL. If you want ADN's player UI, use the Web or Hybrid path. Signed delivery is for direct, play-session-free streaming.

6. Plays & Reporting

Signed URLs bypass the play session, but your play statistics stay accurate — plays are measured from actual audio delivery on your domain and aggregated hourly. Because every signed request is a real delivery, it counts toward your play usage and billing just like a play-session stream.