API reference

OpenAPI-backed v1 reference for file URL workflows

Upload files and return controlled public file URLs.

Download OpenAPI YAMLStart with upload
Short answer

What this page answers

This page renders the current v1 OpenAPI operation list into a human reference so builders can see every supported endpoint, request style, and response status before using the raw YAML contract.

Reviewed by GetFileURL product engineering. Last updated .

Reference

Endpoint reference

These endpoints are served under the public v1 API contract. Use bearer API keys from trusted runtimes, keep file IDs for lifecycle actions, and rely on stable error codes for workflow branches.

diagnoseUrl

Check whether a remote HTTPS URL can be used by GetFileURL remote ingest.

POST/v1/diagnostics/url

URL diagnostics use the same outbound URL policy as remote URL ingest. The submitted URL is returned sanitized to the caller, but Convex diagnostic history stores only hostnames and URL hashes.

request bodyresponses 200, 400, 401, 403, 410, 429, 500

listFiles

List file metadata for the authenticated workspace.

GET/v1/files
no request bodyresponses 200, 400, 401, 403, 410, 429, 500

uploadFile

Upload a file and receive a controlled public file URL.

POST/v1/files
request bodyresponses 201, 400, 401, 403, 410, 413, 415, 429, 500

deleteFile

Delete a file and revoke its public file URL.

DELETE/v1/files/{file_id}
no request bodyresponses 202, 204, 401, 403, 404, 410, 429, 500

getFile

Retrieve file metadata for one file in the authenticated workspace.

GET/v1/files/{file_id}
no request bodyresponses 200, 400, 401, 403, 404, 410, 429, 500

createSignedDeliveryUrl

Create a signed CDN delivery URL and require signed delivery for the file.

POST/v1/files/{file_id}/signed-url
request bodyresponses 201, 400, 401, 403, 404, 410, 429, 500

uploadFileFromUrl

Fetch a remote HTTPS URL into GetFileURL and return a controlled public file URL.

POST/v1/files/from-url

Remote URL uploads require HTTPS, no URL credentials, standard port 443, an allowed public host, and a valid Content-Length header before quota is reserved.

request bodyresponses 201, 400, 401, 403, 410, 413, 415, 429, 500

createUploadSession

Create a bounded multipart upload session for files larger than the standard upload limit.

POST/v1/upload-sessions

Creates a Convex-controlled upload session and an R2 multipart upload. The API key remains server-side; clients upload each part through GetFileURL's Upload/API Worker rather than receiving raw public R2 credentials or URLs.

request bodyresponses 201, 400, 401, 402, 403, 410, 413, 415, 429, 500

completeUploadSession

Complete a multipart upload session and return the controlled file URL.

POST/v1/upload-sessions/{upload_session_id}/complete

Completes the R2 multipart upload, verifies the completed object size against the declared session size, finalizes Convex file state, and returns the same file response shape as standard upload.

no request bodyresponses 201, 400, 401, 403, 404, 410, 429, 500

uploadUploadSessionPart

Upload one part for a multipart upload session.

PUT/v1/upload-sessions/{upload_session_id}/parts/{part_number}

Uploads a single binary part through the Upload/API Worker. The request must include a valid `Content-Length`; all non-final parts must match the session `part_size`, and the final part may be smaller.

request bodyresponses 200, 400, 401, 403, 404, 410, 429, 500

getWorkspaceUsage

Retrieve sanitized usage and limits for the authenticated workspace.

GET/v1/usage

Returns Convex source-of-truth usage rollups, workspace usage state, plan limits, grace limits, and support target for the API key's workspace. It does not expose Stripe identifiers, billing provider records, private object keys, raw customer file URLs, or customer file contents.

no request bodyresponses 200, 400, 401, 403, 404, 410, 429, 500
Reference

Webhook receiver reference

Webhook receiver contracts describe what customer endpoints should accept when GetFileURL delivers lifecycle and usage events. Customer endpoints own the final URL path; the signature and payload shape stay versioned here.

receiveGetFileURLEvent

Receive a signed GetFileURL lifecycle or usage event.

POSTgetfileurlEvent
request bodyresponses 200, 204
Contract rules

Versioning, auth, and lifecycle expectations

01

Versioned paths stay under /v1

Breaking API behavior requires a new major path. Additive response fields can ship inside v1, but field removal or renaming requires a new version.

02

Bearer keys stay server-side

Use API keys from server routes, workers, scripts, or trusted automation credentials. Public browser bundles must not contain production upload credentials.

03

Lifecycle is part of the contract

Upload, metadata, signed delivery URLs, delete, diagnostics, usage, scanner state, and webhook events are treated as one governed file handoff surface.

FAQ

OpenAPI reference answers

Is this page the source of truth for the API contract?

The YAML contract is the machine-readable source of truth. This page is rendered from the same file so people can scan the v1 endpoint and webhook surface quickly.

Does the reference mean the TypeScript SDK is public?

No. The repository-owned SDK source and release checks exist, but public npm package availability still waits for release automation and published package verification.

Where should I start for a first integration?

Start with POST /v1/files, keep the bearer key server-side, store file_id for cleanup, and branch on structured errors before adding multipart sessions or webhooks.

Next pages

Keep implementing against the contract

Back to API hub
Related

Upload API

Create controlled public file URLs.

Related

API errors

Branch on stable failure codes.

Related

OpenAPI YAML

Use the machine-readable v1 contract.