Create a CloudFront key group, upload your RSA public key, and attach the key group to the distribution's cache behavior that covers your media paths
In your application backend, generate a CloudFront custom policy JSON specifying the resource pattern (e.g., https://cdn.example.com/streams/SESSION_ID/*), an expiry epoch, and optional IP condition
Sign the policy with your RSA private key, base64-encode it (using the CloudFront URL-safe alphabet), and set three cookies on the viewer's browser: CloudFront-Policy, CloudFront-Signature, and CloudFront-Key-Pair-Id
Configure the cache behavior to forward the three CloudFront-* cookies to the origin so they are included in cache key lookups; add them to the Origin Request Policy if needed
Test with a curl command including the cookies that a segment fetch returns 200 and that a fetch without cookies returns 403
Known gotchas
HLS multivariant playlists, media playlists, and segments all require the cookies to be present; the cookies must match a single wildcard resource pattern that covers all three URL types, or some requests will return 403
CloudFront signed cookies use a non-standard base64 alphabet (+ → -, / → _, = → ~); using standard base64 encoding produces an invalid signature that returns 403 with no descriptive error
If the distribution has multiple cache behaviors, the cookies must be set with a Path that covers all media URL prefixes; a cookie scoped to /streams/ will not be sent for /init/ segment paths
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp