Autodesk Forge - Securely downloading model derivatives

Question

Hope this is the correct place to ask this question. This is regarding authentication when downloading derivatives.

Our particular use case is downloading SVF1 derivatives, and we would like to know which option is the most secure and reliable.

First, we get the manifest from the translation job and get the derivative URN. Then, download the SVF1 archive and parse the manifest to get the list of assets, and download each asset the same way. There are 2 ways we tried out to download derivatives and its referenced assets.

Option 1 - Using signed cookies https://developer.api.autodesk.com/modelderivative/v2/designdata/{urn}/manifest/{derivativeUrn}/signedcookies

This is from the official documentation. In practice, this requires us to get a new set of cookies to download each asset.

Option 2 - Using https://developer.api.autodesk.com/derivativeservice/v2/derivatives/{derivativeUrn}

We found this endpoint while observing the calls made by the viewer when loading a model. In our trials, we found out that we can just use one scoped token for the source URN to download all the assets which is more convenient than getting cookies for each individual asset.

What do you recommend using? We find option 2 more convenient but there was no documentation related to it (in case Autodesk decides to deprecate/change that endpoint)

Answer 1

second option is technically valid, you can call it the ad-hoc method. As long as you have the token and own the resources, it's fine.