Signed Uploads

Signed Uploads let you control who and when can upload files to a specified Uploadcare project. Once switched on in your project’s settings via our dashboard, this option requires an extra token sent to Upload API for your project to receive the upload. The extra token is called signature and is derived using the two params: secret_key and expire. And here is how you make it.

Making signature

signature is a string sent along with your upload request. It requires your Uploadcare project secret key and hence should be crafted on your back end.

The signature is an MD5 hex-encoded hash from a concatenation of your secret_key and expire. The latter stands for a time in the future when you signature expires.

Below is how you make a signature in Python,

import time
import hashlib

def generate_secure_signature(secret, expire):
  to_sign = str(secret) + str(int(expire))
  return hashlib.md5(to_sign.encode()).hexdigest()

# Expire in 30 min e.g. 1454903856
expire = int(time.time()) + 60 * 30

# Secret key of your project
secret = 'project_secret_key'

# Example result: '46f70d2b4fb6196daeb2c16bf44a7f1e'
signature = generate_secure_signature(secret, expire)

expire explained

As mentioned above, expire sets the time until your signature is valid. It is a Unix time, e.g., 1454902434.

Signed Uploads example


curl -F "UPLOADCARE_PUB_KEY=caa9d29da887ee88ffe6" \
     -F "signature=46f70d2b4fb6196daeb2c16bf44a7f1e" \
     -F "expire=1454903856" \
     -F "file=@image.jpg" \


  "file": "c0d776d4-8c8e-47df-9e92-03b68b99c2ba"

Possible errors

If you enable Signed Uploads for one of your projects, then both signature and expire parameters are required for every upload request. Otherwise, you’ll receive one of the following errors:

[HTTP 400] 'signature' is required.
[HTTP 400] 'expire' is required.

If expire is not a valid Unix timestamp,

[HTTP 400] 'expire' must be a UNIX timestamp.

If your signature has expired, i.e., expire < now,

[HTTP 403] Expired signature.

If signature is incorrect,

[HTTP 403] Invalid signature.