Protect your images from editing

Uploadcare enables you to safeguard your images and photos from unauthorized editing and misuse.

When you apply our on-the-fly image processing operations (e.g. crop, blur faces or add a watermark), you do so by modifying its URL. Unfortunately, some users can remove those parameters and regain access to the original image.

You can "bake" a URL with operations applied to an image by saving a processed image version as a separate file. There are 3 ways to do this.

To prevent this, you can "bake" a URL with the operations applied to an image by saving a processed image version as a separate file or by signing existing URLs. There are three ways to do this.

Signed URLs

The best way to protect URLs from modification is to use signed URLs. Just set the very long validity period (e.g., several years).

This method doesn't affect your storage volume and upload units. (You can monitor usage in the project's Dashboard).

Re-upload a new version

Use Upload API from_URL method:

curl --request POST \
  --url \
  --header 'content-type: multipart/form-data' \
  --form pub_key=$YOUR_PUBLIC_KEY \
  --form source_url=$UUID/-/operation/:param/


  • $YOUR_PUBLIC_KEY — get from API keys.
  • $UUID — UUID of original image.
  • -/operation/:param/ — the name of the image processing operation with parameters (if necessary), that you want to bake in.

The response will contain a token:

"type": "token",
"token": "945ebb27-1fd6-46c6-a859-b9893712d650"

The actual file UUID should be retrieved by calling the /from_url/status/ endpoint.

Create a copy

Use REST API local_copy operation:

curl --request POST \
  --url \
  --header 'Accept: application/vnd.uploadcare-v0.7+json' \
  --header 'Authorization: Uploadcare.Simple $YOUR_PUBLIC_KEY:$YOUR_SECRET_KEY \
  --header 'content-type: multipart/form-data' \
  --form source=$UUID/-/operation/:param/


  • $YOUR_PUBLIC_KEY and $YOUR_SECRET_KEY — get them from API keys.
  • $UUID — UUID of original image.
  • -/{operation}/{param}/image processing operations that you need to bake in.

As a result, the processed version will be saved in the same project as a separate file, which you can safely use in your application. The URL has changed; it only contains a newly assigned UUID; no operations are present.

API integrations

You don't have to code most of the low-level API integrations. We have high-level libraries for all popular platforms:

Copying via from_url can be safely done on the front end using client-side JS libraries.