Is it possible to invalidate a signed URL / token on command?

Let’s say we generate a signed URL for a user so that they can watch a secured stream. Is there a way to invalidate that signed URL based on an arbitrary condition (aside from the exp restriction)?

As far as I know, no, you can’t invalidate the signed URL once it’s created.

The best way that I know of is to limit the time the signed URL is valid for. By default for us we used one hour. Originally we signed 25% longer than the duration of the video but our uses needed something longer, but not too long.

You could create a very limited signed URL and then on every request create a new signed URL so the user doesn’t ever get two of the same tokens.

Currently, you cannot completely invalidate a signed URL. However, you can make signed URLs more restrictive by adding additional access rules (such as IP restrictions) in addition to an expiration value. You can see details of supported access rules here: https://developers.cloudflare.com/stream/viewing-videos/securing-your-stream#supported-restrictions