# URL sealing To prevent your customer from removing certain parameters, you can seal them. For example, if you don't want your users to get the image without a watermark or a certain filter, you can use the URL sealing feature. This system is similar to the [url-signature](https://docs.cloudimage.io/setup/security/token-security/url-signature "mention") feature but it is only sealing the `ci_eqs` parameters and allows you to add more filters and operations to the URL without re-generating the signature. This method is compatible with the [responsive-images-js-plugin](https://docs.cloudimage.io/implementation/responsive-images-js-plugin "mention"). Please be aware that when URL sealing is activated for your token, all Cloudimage URLs that are not signed properly will cease to work. The signature is calculated as follows: **Signature** = sha1('**URI'** + '**ci\_eqs**' + '**Salt**') where **URI** = original\_image\_url and **ci\_eqs** = value of the content of `ci_eqs` query string The syntax to process an image is: //**token**.cloudimg.io/original\_image\_url?**ci\_eqs=Sealed\_parameters**&**ci\_seal=Signature** The **Salt** string is a shared secret between you and Cloudimage and only *you* will be able to calculate the signature of your images. ## Activation Before activating URL sealing, please make sure that all Cloudimage URLs contain the proper signatures (see the [#od\_82705325](#od_82705325 "mention") section below). To activate this feature, you need to navigate to *Image Settings / Security* and activate the *URL security* toggle.

In the *Add Security* modal, you need to choose *URL Sealing* and place a string you will be using as salt when generating the sealed parameter signature. ## Usage ### Step 1. Encode the query string To watermark an image at the URL `samples.scaleflex.com/birds.jpg` with query string `wat=1&wat_url=http://samples.scaleflex.com/louis-vuitton-logo-white.png&wat_scale=45&wat_gravity=southwest&wat_pad=15`, you need to first *base64-encode* the query string: ```js base64('wat=1&wat_url=http://samples.scaleflex.com/louis-vuitton-logo-white.png&wat_scale=45&wat_gravity=southwest&wat_pad=15') ``` becomes `d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1` ### Step 2. Create the signature The signature has to be created by sha1-hashing the string '**URI'** + '**ci\_eqs**' + '**Salt**': ```js sha1('samples.scaleflex.com/birds.jpg' + 'd2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1' + 'salt') ``` The final signature is: `a355cce069fbfb18a4c39113067bf626ead2ebab` ### Step 3. Construct the URL //**token**.cloudimg.io/original\_image\_url?**ci\_eqs=Sealed\_parameters**&**ci\_seal=Signature** The final URL becomes: [https://**demoseal**.cloudimg.io/samples.scaleflex.com/birds.jpg?**ci\_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1**&**ci\_seal=a355cce069fbfb18a4**](https://demoseal.cloudimg.io/https://samples.scaleflex.com/birds.jpg?ci_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1\&ci_seal=a355cce069fbfb18a4&) ### Step 4. Use and extend the request You can use the URL as is or append more parameters to the query string: [https://**demoseal**.cloudimg.io/samples.scaleflex.com/birds.jpg?**ci\_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1**&**ci\_seal=a355cce069fbfb18a4**&**w=700**&**h=700**](https://demoseal.cloudimg.io/https://samples.scaleflex.com/birds.jpg?ci_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1\&ci_seal=a355cce069fbfb18a4\&w=700\&h=700&) Any parameters that are included in the sealed portion cannot be overwritten in the URL. For example, if a watermark is activated with **wat=1** and sealed, appending **wat=0** in the URL will not remove the watermark: [https://**demoseal**.cloudimg.io/samples.scaleflex.com/birds.jpg?**ci\_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1**&**ci\_seal=a355cce069fbfb18a4**&**wat=0**](https://demoseal.cloudimg.io/https://samples.scaleflex.com/birds.jpg?ci_eqs=d2F0PTEmd2F0X3VybD1odHRwOi8vc2FtcGxlLmxpL2xvdWlzLXZ1aXR0b24tbG9nby13aGl0ZS5wbmcmd2F0X3NjYWxlPTQ1JndhdF9ncmF2aXR5PXNvdXRod2VzdCZ3YXRfcGFkPTE1\&ci_seal=a355cce069fbfb18a4\&wat=0&) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.cloudimage.io/setup/security/token-security/url-sealing.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.