[PDFBolt]

Yeah, OIDC with session-based access makes sense, especially for enforcing policies dynamically. For secure PDF access, we’ve found pre-signed URLs to be a solid approach. They allow temporary, controlled access without requiring ongoing authentication.

Here’s a simple example using AWS S3 (or any S3-compatible storage) to generate a pre-signed URL for a PDF: https://github.com/pdfbolt/generate-s3-presigned-url

This works well for temporary document access in workflows like report generation, invoicing, and legal docs.

[adeptima]

Thanx for sharing!

What if pre-signed URL is leaked, you cannot invalidate a pre-signed URL without rotating credentials or changing bucket policies, right?

I was thinking about signed cookies or API gateways type of solutions.

[PDFBolt]

You're right. Pre-signed URLs can’t be revoked once issued, but one way to mitigate the risk is by setting a short expiration time when generating them. For example, if the URL is only valid for 5-10 minutes, it remains secure, and the risk of misuse is minimal.