Developer Guide: Target CDN Asset Delivery
This guide explains how to use test.tgtcdn.com for private GCS-backed image retrieval, Cloudflare-native image transformations, Scene7-style compatibility URLs, cache behavior, and purge by GCS object key.
Platform Summary
| Capability | How it works in the POC |
|---|---|
| Native image retrieval | https://test.tgtcdn.com/<object-key> reads the original private GCS object through cdn-gateway. |
| Native image transforms | https://test.tgtcdn.com/cdn-cgi/image/<options>/<object-key> uses Cloudflare Image Transformations directly. |
| Compatibility image transforms | https://test.tgtcdn.com/is/image/Target/<object-key>?<scene7-options> routes through image-url-translator, then redirects to the native transform URL. |
| Cache purge | Purge the Cloudflare cache tag gcs-key:<object-key> from the Cloudflare Dashboard or Cache Purge API. |
| Demo and health | /demo shows examples. /health shows POC status and recent asset activity. |
Native Image Retrieval
Use raw object URLs when the page or application needs the original GCS object without resizing, format conversion, or quality changes.
https://test.tgtcdn.com/<object-key>
Known working example:
https://test.tgtcdn.com/007/ORIGINAL
Retrieval behavior:
| Header or behavior | Meaning |
|---|---|
X-CDN-Origin: GCS | The asset is served through the private GCS origin adapter. |
X-Origin-Mode: gcs-service-account | The Worker authenticates to GCS using a service-account secret. |
X-Asset-Key: 007/ORIGINAL | Stable object-key header for Log Explorer/Logpush custom fields on Worker-handled paths. |
X-Asset-Path: /007/ORIGINAL | Public path mapped to the GCS object key. |
X-Cache-Tag: gcs-key:007/ORIGINAL | Deterministic cache tag derived directly from the GCS object key. |
CF-Cache-Status: HIT | Repeat request is served from Cloudflare cache. |
Native Image Transformations
Use native Cloudflare Image Transformations URLs when Target controls application or page markup. This is the preferred long-term path because the browser requests Cloudflare's image pipeline directly without a compatibility redirect.
https://test.tgtcdn.com/cdn-cgi/image/<options>/<object-key>
Example product detail image:
https://test.tgtcdn.com/cdn-cgi/image/width=1200,height=1200,quality=85,format=auto,fit=scale-down,metadata=none/007/ORIGINAL
Example product tile:
https://test.tgtcdn.com/cdn-cgi/image/width=400,height=400,quality=80,format=auto,fit=crop,metadata=none/007/ORIGINAL
Example responsive gallery markup:
<img
src="https://test.tgtcdn.com/cdn-cgi/image/width=800,height=800,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL"
srcset="
https://test.tgtcdn.com/cdn-cgi/image/width=300,height=300,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 300w,
https://test.tgtcdn.com/cdn-cgi/image/width=400,height=400,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 400w,
https://test.tgtcdn.com/cdn-cgi/image/width=600,height=600,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 600w,
https://test.tgtcdn.com/cdn-cgi/image/width=800,height=800,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 800w,
https://test.tgtcdn.com/cdn-cgi/image/width=1200,height=1200,quality=80,format=auto,fit=scale-down,metadata=none/007/ORIGINAL 1200w
"
sizes="(min-width: 992px) 60vw, 50vw"
alt="Product image"
>
Transformation Defaults
| Area | POC default |
|---|---|
| Supported compatibility widths | 300, 320, 400, 480, 600, 640, 670, 800, 960, 980, 1200, 1280, 1600, 1920 |
| Product gallery widths | 300, 400, 600, 800, 1200 |
| Observed marketing/recommendation widths | 670, 980 |
| Format for new markup | format=auto |
| Product gallery quality | quality=80 |
| Detail/hero quality | quality=85 |
| Compressed marketing quality | quality=65 where already observed |
| Gallery/detail fit | fit=scale-down |
| Tile/marketing crop fit | fit=crop |
| Metadata | metadata=none |
Each unique option set creates a separate cacheable image variant. Keep widths, quality levels, and fit modes intentional to avoid unnecessary variant growth.
Compatibility URL Translation
Use compatibility URLs when testing existing Scene7-style URLs or when URL generation cannot change yet.
https://test.tgtcdn.com/is/image/Target/<object-key>?wid=<width>&hei=<height>&qlt=<quality>&fmt=<format>&fit=<fit>
Example compatibility request:
https://test.tgtcdn.com/is/image/Target/007/ORIGINAL?wid=800&hei=800&qlt=80&fmt=pjpeg
Current flow:
/is/image/Target/... -> image-url-translator Worker -> 302 -> /cdn-cgi/image/...
Compatibility parameter mapping:
| Scene7-style option | POC behavior |
|---|---|
wid | Maps to width. Unsupported between-values snap up to the next supported width. |
hei | Maps to height. If width is snapped, height is scaled by the same ratio. |
qlt | Maps to quality. POC-safe range is normalized to 60-90. |
fmt=pjpeg | Maps to format=jpeg. New native markup should use format=auto. |
fit=crop,1 | Maps to fit=crop. |
Examples of compatibility normalization:
| Request | Resolved behavior |
|---|---|
wid=500&hei=500 | width=600,height=600 |
wid=1000&hei=430&fit=crop,1 | width=1200,height=516,fit=crop |
wid=670&hei=377&qlt=65&fmt=pjpeg&fit=crop,1 | Preserves 670x377, maps to quality=65,format=jpeg,fit=crop |
Compatibility URLs are useful for migration testing and noisy legacy URL handling. They are not the preferred final markup because the current implementation adds a browser redirect before the transformed image is fetched.
Cache And Purge Logic
Raw source assets and transformed variants are cached at Cloudflare. The same source image requested with different transform options creates distinct transformed variants.
Purge is based on the GCS object key. The Worker attaches the object key directly as the Cloudflare cache tag, prefixed with gcs-key:.
gcs-key:007/ORIGINAL
Purge behavior:
| Step | What happens |
|---|---|
| Identify object key | https://test.tgtcdn.com/007/ORIGINAL maps to object key 007/ORIGINAL. |
| Compute cache tag | Add the gcs-key: prefix: gcs-key:007/ORIGINAL. |
| Purge by Dashboard | Cloudflare Dashboard > Caching > Configuration > Purge Cache > Custom Purge > Tags. |
| Purge by API | Send {"tags":["gcs-key:007/ORIGINAL"]} to the Cloudflare zone purge endpoint. |
| Validate | Request the same raw and transformed URLs again and confirm stale content is gone. |
API example:
ZONE_ID="aacac726952b470209b3c31c95ea0b17"
curl -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"tags":["gcs-key:007/ORIGINAL"]}'
Do not exact-purge /cdn-cgi/image/... transformed URLs. Cloudflare rejects exact purges for resized image URLs; purge the gcs-key:<object-key> tag instead.
When To Use Each Structure
| Use case | Recommended structure |
|---|---|
| Original image delivery with no resize | Native retrieval: /<object-key> |
| New product page markup | Native transform: /cdn-cgi/image/... |
Responsive srcset generated by Target | Native transform URLs with agreed widths |
| Existing Scene7-shaped URLs | Compatibility URL: /is/image/Target/... |
| URLs needing snapping, validation, or parameter cleanup | Compatibility Worker path |
| Stable legacy patterns that do not need complex logic | Future Transform Rule rewrite, documented separately in config/IMAGE-COMPAT-RULES.md |
| Same-key GCS overwrite | Purge cache tag gcs-key:<object-key> through Cloudflare Dashboard or API. |
Observability And Tooling
| Surface | Purpose |
|---|---|
/demo | Visual image gallery showing raw and transformed delivery. |
/health | POC health dashboard backed by Workers Analytics Engine. |
/api/assets | Per-asset rollups for delivered assets and purge markers. |
| Log Explorer | Production request-level investigation for http_requests, including native /cdn-cgi/image/... traffic. |
| Logpush | Optional export of the same HTTP request logs to a Target-owned observability platform. |
scripts/test-developer-image-guide.mjs | Live regression suite generated from this guide. |
Observability backend split:
| Backend | Use it for | Key limit |
|---|---|---|
| Workers Analytics Engine | Custom asset lifecycle telemetry: object key, origin pulls, cache hit ratio, purge markers, health states. | Only sees events the Workers write. It is not full request logging. |
| Log Explorer | Cloudflare-native log search and dashboards for raw, compatibility, and native image request traffic. | Cloudflare-hosted; use Logpush if Target requires external ownership/retention. |
| Logpush | Exporting Cloudflare HTTP request logs to Splunk, Datadog, GCS, BigQuery, S3, R2, or another platform. | Requires destination, field selection, retention, and PII policy decisions. |
For Log Explorer or Logpush, enable the http_requests dataset for test.tgtcdn.com. The POC uses header-based enrichment as the recommended default: Workers emit approved X-* response headers and Log Explorer captures them as custom response fields. Current fields are X-Asset-Key, X-Cache-Tag, X-CDN-Origin, X-Origin-Mode, X-Transform-Method, X-Resolved-Width, and X-Resolved-Format.
Customer decision point:
| Option | When to use | Tradeoff |
|---|---|---|
| Header-based enrichment | Recommended default for raw and compatibility paths. Adds searchable object-key and transform context without changing the native image fast path. | Headers are visible to clients; native /cdn-cgi/image/... responses may not carry Worker headers. |
| Path-only logging | Use if Target wants no extra response metadata. Derive object key from URL path. | Less direct cache-tag and compatibility correlation. |
Expanded X-* headers | Use if Target wants more asset or policy fields in Log Explorer. | Requires explicit allow-list and PII/governance review. |
| Target request headers | Use if Target apps can send product, campaign, or page context for logging. | Requires Target app changes and strict data review. |
| Logpush correlation | Use when Target wants to join HTTP logs with Analytics Engine, purge events, or catalog data in Target-owned tooling. | Requires destination, schema, retention, and pipeline ownership. |
| Worker-mediated final delivery | Use only when every final image response must carry Worker metadata. | Not recommended by default because it can add latency, cost, and complexity. |
Native /cdn-cgi/image/... responses are generated by Cloudflare Image Transformations and may not carry Worker headers, so investigate those by request path, status, cache status, Ray ID, and the object key derived from /cdn-cgi/image/<options>/<object-key>.
Validation Commands
Validate raw native retrieval:
curl -I "https://test.tgtcdn.com/007/ORIGINAL"
Validate native transform delivery:
curl -I -H "Accept: image/webp" \
"https://test.tgtcdn.com/cdn-cgi/image/width=640,quality=85,format=webp,fit=scale-down/007/ORIGINAL"
Validate compatibility behavior:
curl -IL "https://test.tgtcdn.com/is/image/Target/007/ORIGINAL?wid=1200&hei=1200&qlt=80"
Run the full guide-derived image suite:
node scripts/test-developer-image-guide.mjs
Expected signals:
| Signal | Meaning |
|---|---|
HTTP 200 on raw retrieval | The original object was served. |
X-CDN-Origin: GCS | Raw retrieval went through the private GCS gateway. |
X-Asset-Key: 007/ORIGINAL | Raw retrieval exposes an object-key field suitable for Log Explorer/Logpush custom field indexing. |
X-Cache-Tag: gcs-key:007/ORIGINAL | Raw retrieval is associated with the key-derived purge tag. |
HTTP 200 on native transform | The transformed image was served. |
cf-resized response header | Cloudflare Image Transformations processed the image. |
HTTP 302 on compatibility URL | The compatibility Worker redirected to native /cdn-cgi/image/.... |
CF-Cache-Status: HIT on repeat request | The asset or variant is cached at Cloudflare. |