Recommended behaviors in the Default Rule

We automatically add various recommended behaviors to your configuration within the Default Rule, which applies to all requests. They're optional but recommended.

  • You can leave them in the Default Rule. This is recommended so that they apply to all requests.

  • You can move it out of the Default Rule. Mouse over the behavior and click the √ó icon. Then, you can add it to an optional rule, and set specific match criteria.

  • You can delete the behavior. Mouse over the behavior and click the √ó icon.

Review details for each of these behaviors and apply settings as desired.

Auth Token 2.0 Verification

Auth token verification (also referred to as "Token Auth") is the process of generating tokens, associating them with an authenticated user session, and then validating the request using these tokens to prevent unauthorized sharing of links to your Object Delivery content.

We recommend that you add Auth Token 2.0 Verification to your Object Delivery property configuration to incorporate this security for your content.

Auto Domain Validation and Object Delivery

If you're using Standard TLS in your property hostnames to secure access requests, and you've set up a domain validation (DV) type certificate for it, you should add this behavior to automatically renew the certificate when it expires.

With DV, the applicable certificate authority (CA) validates that you have control of the domain. ‚ÄčAkamai‚Äč's Certificate Provisioning System (CPS) supports DV certificates issued by Let's Encrypt, an automated, and open certificate authority that is run for public benefit. Certificate expiration is typically as follows:

  1. ‚ÄčAkamai‚Äč-managed DV certificates expire in 90 days.

  2. Renewals for ‚ÄčAkamai‚Äč-managed DV certificates start 16 days prior to expiration.

  3. A third-party, customer-supplied, DV certificate can expire whenever the applicable certificate authority determines it expires; this behavior isn't necessary if you don't use CPS and you supply your own DV certificates.

When should I include this behavior?

If you've set up Standard TLS DV certificates for the property hostnames in this property, you should include this behavior to enable automatic renewal of the certificate. If you leave this behavior out, the certificate could expire, and HTTPS traffic will be served with certificate errors.


This behavior isn't required if you're using an enhanced TLS certificate to secure requests with your property hostname to edge hostname association.

How is this behavior supported?

Include this behavior in your property in multiple ways. Consider these points when adding it:

  • You can include it in the Default Rule. In this case, it is applied to all requests for all resources associated with this property. It'll only apply to property hostnames that have Standard TLS security using DV certificates.

  • You can include it in a supplemental rule. This allows you to set up a custom rule that only applies to specific requests for resources associated with this property. This rule must use only the "Hostname" condition match criteria.

  • You can include it in multiple rules. Rule priority applies, with rules lower in the order taking precedence.

  • There might be an issue if an incoming request matches another "redirect" behavior. Assume that the incoming request matches another behavior you have in your property that results in a redirect operation similar to what applies to this behavior. If so, the operation that takes precedence depends on where the behavior is in the property.

  • Are you using a similar behavior in another rule? If so, ensure that behavior exists in a rule that is higher in the rule order so that it can take precedence.

  • You should test your configuration. Test it on staging by making a request to