implemented a lot of security measures

app/Http/Resources/Tenant/PhotoResource.php

@@ -16,8 +16,8 @@ class PhotoResource extends JsonResource
     {
         $tenantId = $request->attributes->get('tenant_id');
         $showSensitive = $this->event->tenant_id === $tenantId;
-        $fullUrl = $this->getFullUrl();
-        $thumbnailUrl = $this->getThumbnailUrl();
+        $fullUrl = $this->getSignedUrl('full');
+        $thumbnailUrl = $this->getSignedUrl('thumbnail');
 
         return [
             'id' => $this->id,
@@ -46,26 +46,26 @@ class PhotoResource extends JsonResource
     }
 
     /**
-     * Get full image URL
+     * Get signed URL for variant
      */
-    private function getFullUrl(): ?string
+    private function getSignedUrl(string $variant): ?string
     {
-        if (empty($this->filename)) {
+        if (empty($this->id) || empty($this->event?->slug)) {
             return null;
         }
 
-        return url("storage/events/{$this->event->slug}/photos/{$this->filename}");
-    }
+        $route = $variant === 'thumbnail'
+            ? 'api.v1.gallery.photos.asset'
+            : 'api.v1.gallery.photos.asset';
 
-    /**
-     * Get thumbnail URL
-     */
-    private function getThumbnailUrl(): ?string
-    {
-        if (empty($this->filename)) {
-            return null;
-        }
-
-        return url("storage/events/{$this->event->slug}/thumbnails/{$this->filename}");
+        return \URL::temporarySignedRoute(
+            $route,
+            now()->addMinutes(30),
+            [
+                'token' => $this->event->slug, // tenant/admin views are trusted; token not used server-side for signed validation
+                'photo' => $this->id,
+                'variant' => $variant === 'thumbnail' ? 'thumbnail' : 'full',
+            ]
+        );
     }
 }