Authenticate file URL API calls with bearer keys
Every upload and cleanup action needs an owner. Send the bearer key from a server, worker, script, or trusted automation credential store.
- Reviewed by
- GetFileURL technical team
- Updated
- Header
- Authorization: Bearer <api_key>
- Applies to
- Upload, delete, metadata, future lifecycle calls
- Do not
- Expose account API keys in public browser code
What this page answers
Put it in a server environment variable, worker secret, or trusted automation credential store. Do not commit it or expose it in browser JavaScript.
- Reviewed by
- GetFileURL technical team
- Last updated
One request in, a URL and JSON out
curl -X POST https://api.getfileurl.com/v1/files \
-H 'Authorization: Bearer $GETFILEURL_KEY' \
-F 'file=@invoice.pdf'Put upload credentials where users cannot extract them.
The upload API creates public URLs. Keep credentials in trusted runtimes that can enforce account policy, file limits, and lifecycle defaults.
Server routes
Store the key in environment variables and call GetFileURL from your backend route or server action.
Workers
Use platform secrets for Cloudflare Workers or similar edge runtimes instead of committed env files.
Automation tools
Use the platform credential store in n8n, Make, Zapier, or Pipedream rather than hard-coding keys in fields.
Do not ship account bearer keys to the browser.
A public browser bundle cannot keep a secret. Browser-facing uploads need scoped upload sessions or a backend relay before they are safe for real accounts.
Backend relay
Have the browser send the file to your backend, then let the backend call the upload API with the account key.
Future upload sessions
A scoped session can eventually limit file size, type, expiry, and account policy without exposing the account key.
Audit context
Attach workflow or customer metadata from the trusted runtime so support and cleanup actions remain traceable.
Auth errors should stop the workflow before public access is created.
Treat invalid keys, missing headers, and disabled accounts as hard failures. Retry only after the credential or account state is fixed.
401 unauthorized
The key is missing, malformed, expired, or invalid.
403 forbidden
The key is valid but the account or policy does not allow the requested action.
Rotate deliberately
Plan for key rotation so old workflows can be updated without exposing keys in logs or screenshots.
Copy the same upload shape into code
Authorization: Bearer $GETFILEURL_KEY
Store keys in:
- server environment variables
- worker secrets
- trusted automation credentialsCommon questions
Where do I put the GetFileURL API key?
Put it in a server environment variable, worker secret, or trusted automation credential store. Do not commit it or expose it in browser JavaScript.
Do delete calls use the same authentication model?
Yes. Delete and other lifecycle controls should require bearer authentication because public URL viewers should not be able to remove files.
Can I create client-side uploads?
Use a backend relay today. Client-side scoped upload sessions should be a separate product surface with size, type, expiry, and account limits.