Product environment console settings for Developers

You can configure settings that influence your account as a whole, as well as how your assets get uploaded, stored, and delivered within the currently selected product environment.

Some Settings affect both DAM users or admins and developers, so you should coordinate with other teams where relevant.

Click the Settings icon in the Console Options sidebar to view your Console Settings.

The default settings are a good place to start but you'll want to review all the settings to ensure they meet your organization's needs.

This page highlights the product environment settings and options most relevant to developers for managing and optimizing media workflows in Cloudinary.

Overview

API keys

If you're a user with a Master admin, Admin, or Technical admin role, you can find your API key and secret pairs, your cloud name, and your API Environment variable (a combination of all three credentials), on the API Keys page of the Cloudinary Console Settings. To interact with Cloudinary's APIs and backend SDKs, you'll need an API key and secret pair specific to your product environment, while the cloud name is sufficient for frontend calls.

To use the API Environment variable, copy the format from the API Keys page. Replace <your_api_key> and <your_api_secret> with your actual values, while your cloud name is already correctly included in the format.

Managing API keys

You can also manage your API keys from the API Keys page of the Console Settings. This allows you to generate new API key and secret pairs, activate them, and assign them names under the same cloud name. Generating multiple keys for various purposes—such as development, staging, and production environments—each with meaningful names for easy identification, helps organize access and usage according to different needs. If you have more than one API key in your product environment, you can deactivate and delete keys as needed to maintain security and control access.

You can also manage product environments programmatically via the access_keys endpoint of the Provisioning API. Provisioning API access is available for accounts on an Enterprise plan. If you don’t currently have access and would like to explore your options, contact us. For more details, see the Provisioning API reference.

Granular API key permissions for Upload and Admin APIs

You may want to allow certain developers to run specific endpoints in the Admin and Upload APIs and their equivalent SDK methods, and deny them from running others. You can create multiple API keys on the API Keys page of the Cloudinary Console Settings, and then coordinate with a Cloudinary solutions engineer to customize the keys for your product environment, with each key allowing access to different endpoints or groups of endpoints. You can then assign each customized API key to different developers to control who can perform which programmatic actions in your product environment.

For example, you might want to allow certain developers to:

• Use only GET methods, i.e., read-only permissions.
• Use only the transformations, upload_presets and streaming_profiles endpoints, with both read and write capabilities.
• Use all endpoints except DELETE methods.

If a user makes a call to an endpoint that's restricted by the API key, an error message stating that the provided API key doesn't have permission to run the API call is returned.

To set up granular permissions for your API keys:

1. Create all the API keys you want to customize from the API Keys page of the Cloudinary Console Settings.

2. Make a request to Cloudinary support to configure your permissions. When making your request, specify the API keys to update and the list of Upload API and Admin API endpoints you want to restrict for each one. For example, "Please restrict the : GET /streaming_profiles and POST /transformations/:name endpoints for the API key named: front-end-developers."

Limitations and considerations for API key permissions:

• Actions that are restricted in the API are still allowed via the Media Library. For example, if the metadata field endpoint is restricted by the API key, the user can still access metadata via the Media Library.
• Any developers whose access you want to limit must also be restricted to the Media Library admin or Media Library user roles, so that they won't have access to API key/secret pairs that are not configured for them.
• Actions in the Upload API can only be restricted for signed upload requests.
• If the API key status is set to disabled, then any requests made using that API key will be denied in any case.

Upload settings and backup

The Upload Settings & Backup page lets you configure default behaviors for media uploads to your product environment. Key settings include:

• Automatic backup: Determines whether every uploaded file is securely backed up, including support for multiple revisions. When enabled, the backups increase your account's storage usage (unless you set a private S3 or Google Cloud bucket for your backups).

Upload

• The Upload Presets tab: To learn more, see Upload presets

• The Auto Upload Mapping tab: Enables lazy migration by uploading files only when they're first accessed from your website or app. When adding a mapping, you need to specify a Target Folder and an associated Source URL Prefix. If a requested asset isn't found within the Target Folder, it’s retrieved from the associated Source URL prefix. For more information, see Lazy migration with auto-upload.

  Tip

  You can automatically apply a set of upload settings to assets uploaded via an upload mapping by associating the mapping with an upload preset. To do this, name the upload preset the same as the upload mapping’s Target Folder.

Optimization

The Optimzation page provides settings to control delivery performance. You can define default quality settings to automatically optimize images and videos. Adding a quality transformation (q_) in your code will override this default.

Webhook notifications

Webhook notifications inform your backend about certain actions that completed, either via an API method call or via a user action within the Console UI. When the action completes, Cloudinary sends an HTTP POST request to a public notification URL you provide. The payload contains all the results pertinent to that particular action.

On the Webhook notification page, you can configure multiple URLs to receive notifications for different API method calls or user actions.

Security settings

The Security page includes options that restrict how assets are shared, accessed and delivered. The settings impact only the selected product environment.

There are a variety of additional security options that affect DAM users. These are covered within the DAM Security settings section.

You might want to pay special attention to the following options as part of setting up a new product environment:

• Strict transformations prevents the dynamic creation of new derived assets unless specific criteria are met. This is useful for controlling transformation usage and bandwidth costs. Enable this setting to restrict creation by default, allowing new assets only when using signed URLs, named transformations, or authorized domains. For more information, see Strict transformations.

  • Allowed strict referral domains enables exceptions to strict transformations, allowing dynamic asset creation from trusted domains you specify.

• Restricted image and video types: Blocks certain third-party services from dynamic URL-based delivery. Use this to control access to resources like fetched URLs or social media content.

• Allowed Fetch Domains: Limits fetching of remote images or videos to specified domains. This is useful for preventing abuse when fetching media from external sources.

• Allowed Admin API IP Addresses: Limits API access to the specified static IPs for increased security.