How to use Edge Content Protection

Edge Content Protection enforces paywall and entitlement validation at the CDN edge layer through Arc XP’s Edge Integration Framework (EIF). When enabled, content is rendered only after Entitlement cookies are validated, ensuring secure and consistent access control.

Content Rendering at the Edge

When a user requests a page:

1. Request arrives at Akamai Edge.

The Edge Content Protection module intercepts the request.

2. Exclusion check.

The system checks user-agent, IP, and path exclusion lists.

3. Entitlement Cookie validation.

The module extracts and validates the configured Entitlement cookie (default: expiration):

• Decodes the JWT payload.
• Verifies the signature with the configured HMAC key.
• Checks for valid exp (expiration) and nbf (not-before) claims.

4. Variant assignment.

• If the cookie is missing, invalid, or expired, the request parameter variant=1 is appended.
• If the cookie is valid, the request parameter variant=2 is appended.

5. Content rendering.

The variant value becomes part of the cache key. Arc returns different versions of the page based on the variant. Unauthorized users never receive premium content.

Note

There are no redirects. Validation and variant assignment occur in place for optimal performance.

Configuration

Parameters

There are some configurations required to start using the Edge Integration. These are configured in the Delivery Edge Integrations Admin UI

Parameter	Description	Required?	Example/Default	Notes
Cookie Name	Name of entitlement cookie (expiration by default).	Not required		Only valid, non-expired tokens can be used.
Cookie Key	HMAC secret key used to validate JWT signature.	Required		Used for decoding the cookie
User-agent exclude list	Comma-separated patterns to exclude bots.	Not required	Googlebot,*bot2
Path exclude list	URL patterns to bypass protection.	Not required	/resizer,/arc/*
IP Address exclude list	IPs or CIDR blocks to exclude.	Not required	192.168.1.5,10.0.0.0/8	Does not use Subscription’s Group IP CIDR

Sample JWT Payload

{
  "iss": "arc.example",
  "sub": "user_12345",
  "aud": "site_67890",
  "entitlement": "premium",
  "iat": 1760443200,
  "nbf": 1760443140,
  "exp": 1763035200
}

The entitlement field defines the user’s access level. The paywall variant is derived from cookie validation rather than entitlement mapping.

Generating Cookie Key

You can generate a key using this command:

openssl rand -base64 32

No length is enforced but it’s recommended to use at least a 32 character key

Security & Best Practices

• Always use a minimum 32-character HMAC key for cookie verification.
• Do not expose redirect URLs in the configuration; expired or invalid cookies are handled inline.
• Ensure excluded paths and agents are narrowly defined to prevent unintended bypasses.
• Consider using a hybrid setup to pair server-side protection with client-side personalization or metering.