February 11, 2026

Links on a leash

Article URL →HN comments →

Signy: Signed URLs for Small Devices

Tiny gadgets handing out expiring links—genius or overkill

TLDR: Signy lets tiny devices create time-limited links so bigger systems can fetch files securely. The lone comment sparks a classic debate: if you already use secure connections like MQTT with mutual TLS, do you need expiring links—or are they a smart way to delegate downloads when devices are limited?

Meet Signy, the tiny-library-with-big-energy that lets small devices hand out expiring, one-time links so bigger systems can fetch files for them—safely and on a timer. It’s all about signed URLs (think: a link that self-destructs after a set time), backed by public/private keys, and it plugs into popular embedded worlds like Zephyr and ESP-IDF. There’s even a GitHub repo at v0.2.0.

But the community mood? Curious side-eye. One early commenter, oulipo2, basically asked the room: if your gadgets already talk via MQTT with mTLS (that’s mutual TLS—both sides prove they’re legit), do you even need this? That question lit up the classic embedded debate: **“secure pipes” vs “secure links.” Fans of the secure-pipe camp say persistent connections already gate access; others argue these links shine when tiny devices can’t keep a connection, need to delegate downloads, or want strict, time-boxed access without babysitting.

The vibe turned playful too, with folks riffing on the mental image of baby devices handing hall passes to big servers: “You, and only you, can fetch my file before the bell rings.” Drama? Not messy, but definitely a tension: less moving parts with mTLS vs more flexible hand-offs with signed URLs. If you’ve ever fought over cert storage or clock drift on a widget the size of a postage stamp, you felt this one.

Key Points

  • Signy is a library for embedded devices to generate signed URLs using asymmetric cryptography.
  • A verifying server is required; with Golioth, CA certificates for the device certificate issuer must be uploaded to the project.
  • Signy uses the PSA Crypto API; private keys must be managed via PSA and a signed certificate with the public key must be provided.
  • Signed URLs follow a defined format with nb (NOTBEFORE), na (NOTAFTER), cert (device certificate), and sig (signature); validity is controlled by CONFIG_SIGNY_URL_VALIDITY_DURATION.
  • Signy integrates as a Zephyr module and an ESP-IDF component (v0.2.0), with repository available on GitHub and examples provided.

Hottest takes

"Interesting... do you have specific use-cases in mind?" — oulipo2
"my fleet of IoT devices are communicating over MQTT with mTLS" — oulipo2
"sufficient to "emulate" all the features of a signed URL" — oulipo2

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.