CometChat generates pre-signed URLs for all media files shared in chat, including images, audio, video, and documents. A pre-signed URL embeds a cryptographic signature and an expiry timestamp directly in the URL, so files are accessible only within a defined time window, without requiring API credentials on the client side.
This feature is enabled by default for all newly created apps. Existing apps can opt in from the CometChat Dashboard.
What are we launching?
We are launching Pre-Signed URLs as a default feature for media file access in CometChat.
When a media file is sent or retrieved, CometChat returns a pre-signed URL Each URL contains three parameters:
Expires: Unix timestamp after which the URL is no longer valid
Signature: Cryptographic signature that validates the URL integrity
Key-Pair-Id: Identifier for the signing key pair used by CometChat
Pre-signed URLs are returned across all surfaces: SDK responses, REST API, and webhook payloads.
Why does this matter to me as a developer?
Media files shared in chat are sensitive. Images, documents, and audio sent between users should not be permanently accessible to anyone with a link, and they should not require your app to expose API credentials on the client to control access.
Pre-signed URLs solve both problems. Access is time-limited by a cryptographic expiry built into the URL itself. No credentials need to be passed to the client. No additional access control logic needs to be built on your side.
CometChat handles the signing and expiry automatically, across every media file, on every surface.
Key features and capabilities
Covers all media types
Pre-signed URLs are generated for all media files shared in chat:
Images
Audio
Video
Documents
Every file attachment gets a time-limited URL, not just specific types.
Returned across all surfaces
Pre-signed URLs are returned wherever media file references appear:
SDK responses
REST API
Webhook payloads
You do not need to handle different URL formats depending on how your integration retrieves messages.
Configurable TTL
The TTL (Time-to-Live) controls how long a generated pre-signed URL remains valid. You set this in the Dashboard:
Minimum: 15 minutes
Maximum: 1 month
Default: 1 day
TTL configuration is available on all plans. Changes take effect for all new pre-signed URLs generated after saving. Existing URLs retain their original expiry.
What is interesting about the tech behind this?
Expiry and integrity are embedded in the URL
The Expires timestamp and the Signature are part of the URL itself. This means access control does not require a server round-trip to validate. The URL is either valid or it is not, based on the cryptographic signature and the current time.
No client-side credentials required
Because the signature is embedded in the URL, clients can fetch media files directly without needing API keys or auth tokens. Access is controlled by the URL itself, not by who is making the request.
Existing URLs are not affected by TTL changes
When you update the TTL in the Dashboard, it applies to all new pre-signed URLs generated after saving. URLs that have already been generated keep their original expiry. This means changing the TTL does not invalidate media currently in use.
Reference links
Pre-Signed URLs documentation: https://www.cometchat.com/docs/fundamentals/presigned-urls
Nivedita Bharathy
Product Marketing Specialist , CometChat