All Docs
FeaturesCSI Teachable Replacement AppUpdated March 15, 2026

Secure Asset Delivery with Signed URLs

Secure Asset Delivery with Signed URLs

As of v1.0.61, all downloadable assets — PDFs, images, and other course attachments — are served through short-lived signed URLs rather than permanent public links. This ensures that only authenticated users who are actively viewing a page can access the underlying files.

How It Works

  1. Page render triggers signing. Every time a learner loads a page that contains an asset (e.g. a lesson PDF or an embedded image), the server generates a fresh signed URL for that asset.
  2. URLs are short-lived. Each signed URL carries an expiry. Once the URL expires, it can no longer be used to fetch the asset — even by someone who previously copied the link.
  3. No permanent public links. Asset storage (Vercel Blob) is configured so that objects are not publicly accessible by default. All access is gated behind the signing mechanism.

Why This Matters

Before v1.0.61From v1.0.61 onwards
Assets served from permanent public URLsAssets served from short-lived signed URLs
Sharing or guessing a URL granted permanent accessShared URLs expire and become invalid
No server-side gating on individual asset requestsServer signs each URL at render time, enforcing authentication

Impact on Administrators

  • No configuration required. Signed URL generation is enabled automatically for all organizations.
  • Existing content is unaffected. Course structures, lesson content, and metadata are unchanged; only the delivery mechanism for binary assets has been updated.
  • Audit & compliance. Because access is tied to authenticated page renders, your organization's asset downloads are now implicitly scoped to logged-in users, supporting stricter data-access audit trails.

Impact on Learners

  • No visible change. Download and preview links continue to work as before during an active session.
  • Bookmarked asset URLs will stop working. Any direct asset URLs saved before this release will no longer grant access. Learners should navigate to the relevant lesson page to obtain a fresh link.

Technical Details

  • Signing is performed server-side on each page render using Vercel Blob's signed URL API.
  • The signed URL is injected into the rendered page/response; the raw storage URL is never exposed to the client.
  • Expiry duration is managed by the platform and is not configurable at the organization level in this release.

Related