How to generate non-expiring signed URLs

Amazon S3

High Level Overview

Amazon S3 has a maximum signature expiry of 7 days. In order to upload signed URLs to Labelbox that don’t expire, we recommend proxying URLs through an endpoint on your server.

In the example below, we will be showing a method of proxying through a simple flask app. We’ve provided a one-click deploy through Heroku but you could also host or build this simple handler into your existing web service.

We will… 1. Deploy a proxy endpoint: This endpoint will accept a signed URL with our JWT secret and will return a new signed s3 URL to an asset. 2. Generate Signed URLs Pointing at our Proxy: For each asset in our s3 bucket will generate a signed URL with our JWT secret that points to our server endpoint.

1. Deploy a proxy endpoint

First, you’ll need to get IAM information to be able to create pre-signed URLs… - AWS_ACCESS_KEY_ID - AWS_SECRET_ACCESS_KEY - a bucket name

Make sure this IAM user can LIST and GET files in the bucket.

Check out the example proxy we made, You can deploy it with one click here…

2. Generate Signed URLs Pointing at our Proxy

  1. From Heroku, get the host URL of your new app by “open app”
  2. And then, get the generated secret (settings > reveal config vars)
git clone
cd generate-tokenized-urls/

// confirm you have node.js installed
node --version

npm install
node cli.js
--bucket <your-aws-bucket-name>
--host https://<your-new-heroku-url>
--secret <heroku-generated-config-secret>
--output labelbox-import.json

Then you can upload labelbox-import.json to Labelbox and you’re good to go.

How did we do?