Backend token authentication

Difficulty level: Difficult


The backend configured on this service requires an authentication token in the URL. If it's missing or invalid, the backend will return a 403 (Forbidden) response. We don't expect requests from end users to include the token, so it needs to be added at the edge.

Use as the backend, and the path /p1/source-1. This endpoint expects to receive the token in a query string parameter named token, in a GET request. For the token to be validated and accepted, the following steps should be performed at the edge:

  1. Let expiryTime be a Unix timestamp of a date in the future
  2. Let stringToSign be a string concatenation of the following, without whitespace or delimiters:
    • The request URL Path (e.g. "/foo" - a URL path does not include any query parameters or the hostname)
    • The value of expiryTime (e.g. "1649328979")
    • The User-Agent header (e.g. "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0")
    • The client IP address (e.g. "")
  3. Let signature be an base64 representation of an HMAC SHA 256 digest of stringToSign, generated using the secret vuVsBZ6JcHn8xtUP.
  4. Let tokenValue be a string concatenation of expiryTime and signature, separated by an underscore character.
  5. Let beReq be a new HTTP Request which has the same method, path and body as the client request
  6. Set the query parameters of beReq to a single entry, with the key "token" set to the value of tokenValue.
  7. Set the headers of beReq to
    • User-Agent: copy from client request
    • X-Client-IP: The IP address of the client
  8. Send beReq to the origin.

For example, this could be a sample request URL:

If the backend is able to recognize and validate the token, it will respond with a 200 (OK) status and a JSON payload.

Try this challenge now

For a guide to how challenges work see getting started.

User contributed notes


Do you see an error in this page? Do have an interesting use case, example or edge case people should know about? Share your knowledge and help people who are reading this page! (Comments are moderated; for support, please contact