> ## Documentation Index > Fetch the complete documentation index at: https://bunnynet-cb9733c2-support-migration.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # Token Authentication > Protect your content with signed URLs that expire and can be restricted by location or IP. Token authentication blocks requests to your Pull Zone unless a valid signed token is included. Use it to protect premium content, create expiring download links, or restrict access by country or IP. ## Choose a method | Method | Hash | Features | | ------------------------------------------------------- | ------ | ----------------------------------------------------------------------- | | [Basic](/cdn/security/token-authentication/basic) | MD5 | Expiry, optional IP validation | | [Advanced](/cdn/security/token-authentication/advanced) | SHA256 | Expiry, IP validation, geo-restrictions, directory tokens, speed limits | Both methods can be used on the same Pull Zone. Start with Basic for simple expiring URLs. Use Advanced if you need geo-restrictions, directory-level access for video streaming, or speed limits. ## Enable token authentication Go to **CDN**, select your Pull Zone, then click **Security**. Toggle **Token Authentication** on and copy the **URL Token Authentication Key**.

Keep your security key secret. Anyone with access to this key can generate valid tokens. ## How it works Your application signs each URL by creating a hash from your security key, the URL path, and an expiration time: ``` https://myzone.b-cdn.net/video.mp4?token=abc123&expires=1598024587 ``` Bunny recalculates the hash on each request. If it matches and the expiration hasn't passed, the request succeeds. IPv6 is automatically disabled when token authentication is enabled.