html.surf
Sign in
Docs /Download Tokens Dashboard →

Download Tokens

Secure, time-limited tokens that control access to your digital products and track download usage.

What are Download Tokens?

Download tokens are secure, cryptographically signed URLs that grant temporary access to your digital products. They act as digital keys that can be customised with expiration times, download limits, and customer metadata.

Example Token URL

https://continuata.io/download?token=ct_abc123def456ghi789

Creating Tokens

Via Dashboard

  1. Navigate to your product page
  2. Click Generate Download Token
  3. Configure token settings (expiration, limits, customer info)
  4. Copy the generated download URL
  5. Share with your customer via email — or point them at continuata.io/my where they can self-serve any purchase tied to their email address

Via API

Token generation is exposed at POST /api/generate-download-url. The body is intentionally minimal — additional metadata is captured automatically when the token is consumed.

POST /api/generate-download-url

{
  "productId": "epic-drums-v1",
  "version": "1.0.0"
}

See Products API → Generate Download URL for the full request and response shape.

Token Lifetime

Tokens minted via the API or the Test Download button expire 24 hours after creation. This is intentional — they're a short-lived courtesy link, not a long-term access grant.

For long-term access, use the customer portal: Customers don't need to keep token URLs around. continuata.io/my lets them re-mint a fresh download link for any of their purchases at any time, indefinitely. Always link to the portal in your post-purchase emails.

Token Security

Tokens are random opaque strings stored against the manifest in KV with a 24-hour TTL. There's nothing in the token itself for an attacker to forge against — it either matches a stored entry or it doesn't.

  • 24-hour expiration enforced at the storage layer
  • Each token is bound to a specific product version
  • Always serve token URLs over HTTPS — never log them in plaintext

Best Practices

✓ Recommended

  • Always include a link to continuata.io/my in post-purchase emails
  • Mint a fresh token per delivery — don't try to share one across customers
  • Use HTTPS everywhere — never log token URLs in plaintext
  • Treat 24-hour expiration as a feature, not a limitation

✗ Avoid

  • Sharing tokens publicly or in forums
  • Caching token URLs as if they were permanent download links
  • Using one token for multiple customers
  • Storing tokens in plain text logs or analytics events

Automation Ready: Set up automated token generation via platform integrations or build custom workflows with our API.