Feed Security & Tokens

Feed URLs contain your product data. While URLs are unique and hard to guess, you can add token authentication for extra security.

Security Options

Option	Security Level	Ease of Use
Public URL	Basic	Easiest
Token required	Enhanced	Easy
Token + IP restriction	High	Moderate

Understanding Feed Security

Public Feeds (Default)

By default, feeds are accessible to anyone with the URL:

https://app.smartfeed.app/feeds/abc123.xml

Security notes:

• URL is unique and random
• Not indexed by search engines
• Don’t share publicly

Protected Feeds

Add token requirement:

https://app.smartfeed.app/feeds/abc123.xml?token=your-secret-token

Requests without valid token receive 403 error.

Enabling Token Protection

1. Go to feed settings

   Navigate to Feeds > select feed > Settings.

2. Enable authentication

   Toggle Require authentication on.

3. Copy generated token

   A 32-character token is generated. Copy it.

4. Save settings

   Click Save. Feed now requires token.

5. Update platform configuration

   Add token to your feed URL in each platform.

Using Tokens

Query Parameter

Add token as URL parameter:

https://app.smartfeed.app/feeds/abc123.xml?token=abc123def456ghi789

HTTP Header

Or use Authorization header:

Authorization: Bearer abc123def456ghi789

Tip

Google Merchant Center supports both methods. Query parameter is simplest.

Token Management

Regenerating Tokens

If token is compromised:

1. Go to feed settings
2. Click Regenerate Token
3. Copy new token
4. Update in all platforms

Old token stops working immediately.

Multiple Tokens (Enterprise)

Enterprise plans support multiple tokens per feed:

• Different token per platform
• Revoke individual tokens
• Track usage per token

Access Logging

Monitor who accesses your feeds:

1. Go to feed > Access Log
2. View recent requests
3. See:
   • Timestamp
   • IP address
   • Token used
   • Success/failure

Identifying Unauthorized Access

Look for:

• Requests with wrong token (401 errors)
• Unexpected IP addresses
• Unusual access patterns

IP Restrictions (Enterprise)

Restrict feed access to specific IPs:

1. Go to feed settings
2. Enable IP whitelist
3. Add allowed IP addresses/ranges
4. Save

Platform	IP Ranges
Google	Published ranges
Facebook	Variable
Others	Check documentation

Caution

IP ranges change. Monitor for fetch failures after enabling IP restrictions.

Security Best Practices

Do’s

• Use token protection for sensitive data
• Monitor access logs regularly
• Regenerate tokens periodically
• Use HTTPS (always enabled)

Don’ts

• Share feed URLs publicly
• Use simple or guessable tokens
• Ignore failed access attempts
• Disable protection without reason

Token Security

How Tokens Work

• 32-character random string
• Stored as hash (not plaintext)
• Compared on each request
• Constant-time comparison (timing attack safe)

Token Strength

Feedy McFeed Feed tokens are:

• Cryptographically random
• Sufficient entropy (256 bits)
• Resistant to brute force

Platform-Specific Setup

Google Merchant Center

1. Copy feed URL with token
2. In GMC, add/edit feed
3. Use full URL including ?token=...
4. Test fetch

Facebook Commerce Manager

1. Copy feed URL with token
2. In Commerce Manager > Data sources
3. Enter full URL with token
4. Verify connection

Other Platforms

Most platforms accept tokens in URL. Check platform documentation for header-based auth support.

Troubleshooting

Platform can’t fetch (403 error)

Causes:

• Token missing from URL
• Token incorrect
• Token regenerated

Solutions:

• Verify URL includes token
• Copy token again
• Update platform configuration

Access denied after setup

Check:

• Token enabled in settings
• Correct token in URL
• No IP restrictions blocking

Token works in browser but not platform

Possible causes:

• Platform caching old URL
• Header vs parameter issue
• Network restrictions

Solutions:

• Clear platform cache
• Try different auth method
• Check platform logs

Related Guides

• Feed URLs
• Feed Settings
• Feed URLs in GMC