The key is an aes256 private key, yes. This should never be shared with the content server. This is a design choice of the "Message" privly application, but is a good layer of encryption for any app with remotely stored content because it will ensure the content can't be decrypted without access and discovery of the link.
The auth token authenticates the link, without the token the request will return forbidden. This prevents crawling the content server. This is a convention of a particular content server and will not necessarily be part of every link.
-Sean