You don't need to move it to accomplish this.

Lets say your web app is running here

/home/lar/app
/home/lar/public

And lets say your MP3 files live outside that folder

/usr/local/datastore/MP3s/

Make a table that stores download tokens and has fields to expire and mark downloads as used.

tblDownloadTokens

id | token | file | expires_on | used_on
_____________________________
1 | xyz | this.mp3 | 15/01/01 | Null

What you want to do is send the user to a download method and pass in the token

http://example.com/download_mp3?token=xyz

Your method checks the token to discover the file they want. Grabs the file and returns it in the response.

$file = select file from tblDownloadTokens where token = $token and used_on is Null and expires_on > now()

if $file:
update tblDownloadTokens set used_on = now() where token = $token
return Response::download('/usr/local/datastore/MP3s/' . $file);

Now you never have a public path to the MP3 and the token only works once, you never have to move or delete the file. As long as the folder that the MP3s live in permissions are set up properl, this will work. The MP3 folder needs only to belong to the same group or user apache is running as. Just make your tokens very complex