A signed URL is a temporary, scoped link to a single object. It lets a client read or upload one file directly to storage, without making the bucket public and without sharing your credentials. It's a time-limited guest pass. It opens one specific door, and only until it expires.
How to use it
import { getSignedUrl } from "@aws-sdk/s3-request-presigner";
// A link the browser can use to download one private file for 5 minutes
const url = await getSignedUrl(
s3,
new GetObjectCommand({ Bucket: "my-app-uploads", Key: "invoices/123.pdf" }),
{ expiresIn: 60 * 5 }
);
The same trick works for uploads with a PutObjectCommand. The browser uploads
straight to the bucket, so the file never has to pass through your server.
Why it matters
- Your bucket stays private; only holders of a valid link get in
- Large uploads and downloads skip your server, saving bandwidth and memory
- Access expires on its own. No cleanup, no lingering public links
Exercise
S3 challenge · runs in your browser
Presigned URLs — time-limited access without credentials
Implement two functions using @aws-sdk/s3-request-presigner: • generateDownloadUrl(key, expiresIn) — a URL anyone can use to GET the object • generateUploadUrl(key, expiresIn) — a URL anyone can use to PUT an object Presigned URLs embed your credentials and expiry into the URL itself. The caller needs no AWS credentials — the URL is self-contained. Common uses: browser-direct uploads, share links, and short-lived download tokens. The expiresIn parameter sets how many seconds the URL remains valid.