Skip to main content
Minting a signature itself requires an API key — only a trusted backend should call this endpoint. The resulting signature is what you hand to the untrusted client (e.g. a browser).

Endpoint

POST /upload/sign
Auth: API Key required

Body parameters

folder
string
Destination folder the signature will be scoped to. Must match the folder field sent with the eventual POST /upload request.Defaults to the root folder if omitted.
expiresIn
number
Lifetime of the signature in seconds. Clamped between 1 and a server-configured maximum.Defaults to a server-configured value if omitted.

Response

{
  "success": true,
  "signature": "a1b2c3d4e5f6...",
  "expires": 1735689600,
  "folder": "photos"
}
success
boolean
true if a signature was generated.
signature
string
The presigned signature to pass alongside the upload.
expires
number
Unix timestamp (seconds) after which the signature is no longer valid.
folder
string
The folder the signature is scoped to.
Status codes: 200 success · 500 API_SECRET not configured on the server

Example

curl -X POST http://localhost:3000/upload/sign \
  -H "Authorization: Bearer <api_key>" \
  -H "Content-Type: application/json" \
  -d '{"folder": "photos", "expiresIn": 300}'

Upload Files

Use the resulting signature to upload without an API key.