Security

Security for public file URL handoffs

Public URLs are useful because other systems can fetch them. Security comes from API keys, expiry, delete controls, file policy, and abuse review.

Reviewed by
GetFileURL technical team
Updated
API keyspublic URL behaviorexpirydelete APIabuse reports
Security model
Authentication
API keys for upload and lifecycle API calls
Public URLs
Readable by anyone with the URL until expiry or deletion
Controls
Expiry, delete, MIME validation, abuse handling
Short answer

What this page answers

Yes. The core product returns public URLs for downstream APIs. Use expiry and delete controls for files that should not remain public.

Reviewed by
GetFileURL technical team
Last updated
Public URL behavior

A direct CDN URL is powerful because it is reachable.

That is also the risk. The product should make public access explicit and keep cleanup close to the upload response.

01

Anyone with the URL can fetch it

Use expiry and deletion when the file only exists for a workflow handoff.

02

API keys are for control actions

Uploads, deletes, and metadata reads require authenticated API calls.

03

Sensitive files need policy

Businesses should set shorter retention and avoid long-lived public URLs for sensitive documents.

Controls

Security features should match workflow reality.

The roadmap prioritizes controls that reduce public URL risk without making automation setup heavy.

01

Key rotation

API keys should be replaceable without support involvement.

02

MIME validation

Account policy should be able to block risky or unexpected file types.

03

Abuse handling

Public file services need a clear path for reports, takedowns, and account review.

FAQ

Common questions

Are GetFileURL file URLs public?

Yes. The core product returns public URLs for downstream APIs. Use expiry and delete controls for files that should not remain public.

Should I expose my API key in a browser?

No. Keep API keys on your server, worker, backend action, or protected automation credential store.

What should I do with sensitive documents?

Use the shortest retention window that works, delete after processing, and wait for stronger policy controls before broad sensitive document use.