Signed Uploads let you control who and when can upload files to a specified Uploadcare project. Once switched on in your project’s settings via our dashboard, this option requires an extra token sent to Upload API for your project to receive the upload. The extra token is called
signature and is derived using the two params:
expire. And here is how you make it.
signature is a string sent along with your upload request. It requires your Uploadcare project secret key and hence should be crafted on your back end.
signature is an MD5 hex-encoded hash from a concatenation of your
expire. The latter stands for a time in the future when you
Below is how you make a
signature in Python,
def generate_secure_signature(secret, expire):
to_sign = str(secret) + str(int(expire))
# Expire in 30 min e.g. 1454903856
expire = int(time.time()) + 60 * 30
# secret key of your project
secret = 'project_secret_key'
# example result: '04b29480233f4def5c875875b6bdc3b1'
signature = generate_secure_signature(secret, expire)
As mentioned above,
expire sets the time until your
signature is valid. It is a Unix time, e.g.,
curl -F "UPLOADCARE_PUB_KEY=caa9d29da887ee88ffe6" \
-F "signature=04b29480233f4def5c875875b6bdc3b1" \
-F "expire=1454903856" \
-F "firstname.lastname@example.org" \
If you enable Signed Uploads for one of your projects, then both
expire parameters are required for every upload request. Otherwise, you’ll receive one of the following errors:
[HTTP 400] `signature` is required.
[HTTP 400] `expire` is required.
expire is not a valid Unix timestamp,
[HTTP 400] `expire` must be a UNIX timestamp.
signature has expired, i.e.,
expire < now,
[HTTP 403] Expired signature.
signature is incorrect,
[HTTP 403] Invalid signature.