{"id":38154,"date":"2025-08-07T07:00:00","date_gmt":"2025-08-07T14:00:00","guid":{"rendered":"https:\/\/cloudinary.com\/blog\/?p=38154"},"modified":"2025-11-26T17:04:32","modified_gmt":"2025-11-27T01:04:32","slug":"access-control-sensitive-confidential-assets","status":"publish","type":"post","link":"https:\/\/cloudinary.com\/blog\/access-control-sensitive-confidential-assets","title":{"rendered":"Using Cloudinary’s Access Control for Sensitive or Confidential Assets"},"content":{"rendered":"

In many use cases, assets uploaded to Cloudinary should be publicly accessible. However, there are situations where assets are sensitive or confidential (for example, scans of legal documents, in-house guides, etc.). If you need to distribute these sensitive materials to another party or system through Cloudinary, it\u2019s important to ensure that only authorized individuals can access them.<\/p>\n

This blog post focuses on the Access Control<\/a> feature of Cloudinary, which enables the management of sensitive assets. We will be using the Node SDK<\/a> for the code examples, although this feature is also supported on other SDKs<\/a>.<\/p>\n

Changing Access Control<\/h2>\n

Access Control can be managed on any asset through the Cloudinary DAM dashboard or the Cloudinary API. In the dashboard, one of the ways this can be done is by clicking the asset and then clicking the Access control<\/strong> dropdown on the right sidebar:<\/p>\n\"Asset\n

This opens a small dialog where you can choose between two options: Public<\/strong> and Restricted<\/strong>:<\/p>\n\"Access\n

The Public<\/strong> option is selected by default, which means that anyone can view the asset. Selecting the Restricted<\/strong> option only allows access with a specialized token (we\u2019ll come back to this in a bit), while there\u2019s an additional option that also allows public access within a given period:<\/p>\n\"Restricted\n

If Time-limited access<\/strong> is checked, we can choose a period and set a start date, an end date, or both. If any of these options are selected, the asset will be publicly available during the specified period.<\/p>\n\"Time-limited\n

The dashboard also allows you to perform this in bulk. To do that, all you need to do is multiple-select the assets, click the three-dot menu in the top-right corner, and click Set Access Control<\/strong>:<\/p>\n\"Three-dot\n

In the Cloudinary SDK<\/h3>\n

To accomplish the same using the Cloudinary SDK, you can use the access_control<\/code> property when uploading or updating an image. The parameter accepts an array of access types, determining how the asset is accessible. Supported types include: token<\/code> and anonymous<\/code> (allowing public access with optional ISO 8601 date ranges, with only one anonymous<\/code> type allowed). The following example effectively makes the asset restricted to token-based access, except between June 10th and July 20th of 2025, when it\u2019s publicly available:<\/p>\n

\/\/ Cloudinary setup<\/span>\nconst<\/span> cloudinary = require<\/span>('cloudinary'<\/span>).v2;\n\ncloudinary.config({ \n  cloud_name<\/span>: 'your-cloud-name'<\/span>, \n  api_key<\/span>: 'your-api-key'<\/span>, \n  api_secret<\/span>: 'your-api-secret'<\/span> \n});\n\n\/\/ Upload with access control settings<\/span>\ncloudinary.uploader.upload(\"sample.jpg\"<\/span>, \n  { access_control<\/span>: [\n    { access_type<\/span>: \"token\"<\/span> }, \n    { \n      access_type<\/span>: \"anonymous\"<\/span>, \n      start<\/span>: \"2025-06-10T12:00Z\"<\/span>, \n      end<\/span>: \"2025-07-20T12:00Z\"<\/span> \n    } \n  ]}\n)\n.then(result<\/span> =><\/span> console<\/span>.log(result))\n.catch(error<\/span> =><\/span> console<\/span>.error(error));\n<\/code><\/span>Code language:<\/span> JavaScript<\/span> (<\/span>javascript<\/span>)<\/span><\/small><\/pre>\n
Generating Tokens<\/h2>\n
If you have set a token-based access type (either by setting Restricted<\/strong> in the dashboard without time-based access or with access_type<\/code> of the token<\/code> through the SDK), you also need to generate a token for external parties to access the asset. However, please note that this is only possible if you have enabled this feature by submitting a request to Cloudinary. This is needed because setting up token-based access also requires some additional configuration on the CDN. Once you\u2019ve gained access to the feature, you will also be provided with an encryption key<\/strong>, which is then used to generate an access token.<\/p>\n
A token is simply a cryptographic string generated through the SDK. While generating it, you can also control the token\u2019s validity by:<\/p>\n