API Docs

Authenticate file URL API calls with bearer keys

Every control action should identify the account that owns the file. Send the API key in the Authorization header from a server, worker, script, or trusted automation credential store.

Upload API Security notes

Bearer authAPI keysserver-sideautomation credentialsdelete controls

HeaderAPI-ready

Use a bearer token on upload and lifecycle requests.

SourceFileRelayPOSTOutputURL

Header: Authorization: Bearer <api_key>
Applies to: Upload, delete, metadata, future lifecycle calls
Do not: Expose production API keys in public browser code

curl -X POST https://api.getfileurl.com/v1/files \
  -H 'Authorization: Bearer $GETFILEURL_KEY' \
  -F 'file=@invoice.pdf'

Credential placement

Put upload credentials where users cannot extract them.

The upload API creates public URLs, so credentials should live in trusted runtimes that can enforce account policy, file limits, and lifecycle defaults.

Server routes

Store the key in environment variables and call GetFileURL from your backend route or server action.

Workers

Use platform secrets for Cloudflare Workers or similar edge runtimes instead of committed env files.

Automation tools

Use the platform credential store in n8n, Make, Zapier, or Pipedream rather than hard-coding keys in fields.

Browser uploads

Do not ship production bearer keys to the browser.

A public browser bundle cannot keep a secret. Browser-facing uploads need scoped upload sessions or a backend relay before they are safe for real accounts.

Backend relay

Have the browser send the file to your backend, then let the backend call the upload API with the account key.

Future upload sessions

A scoped session can eventually limit file size, type, expiry, and account policy without exposing the account key.

Audit context

Attach workflow or customer metadata from the trusted runtime so support and cleanup actions remain traceable.

Failure modes

Auth errors should stop the workflow before public access is created.

Treat invalid keys, missing headers, and disabled accounts as hard failures. Retry only after the credential or account state is fixed.

401 unauthorized

The key is missing, malformed, expired, or invalid.

403 forbidden

The key is valid but the account or policy does not allow the requested action.

Rotate deliberately

Plan for key rotation so old workflows can be updated without exposing keys in logs or screenshots.

Examples

Copy the same upload shape into code or workflow steps

Use the same endpoint from a shell, backend route, worker, or automation code step. Upload the file, set expiry, then map the returned URL.

Bearer header

upload example

Authorization: Bearer $GETFILEURL_KEY

Store keys in:
- server environment variables
- worker secrets
- trusted automation credentials

FAQ

Answers before the workflow breaks

Where do I put the GetFileURL API key?

Put it in a server environment variable, worker secret, or trusted automation credential store. Do not commit it or expose it in browser JavaScript.

Do delete calls use the same authentication model?

Yes. Delete and other lifecycle controls should require bearer authentication because public URL viewers should not be able to remove files.

Can I create client-side uploads?

Use a backend relay today. Client-side scoped upload sessions should be a separate product surface with size, type, expiry, and account limits.

Keep building the file URL path

Back to home