Protect your images from editing

Uploadcare enables you to safeguard your images and photos from unauthorized editing and misuse.

When you apply our our on-the-fly image processing operations (e.g. crop, blur faces or add a watermark), you do so by modifying its URL. Unfortunately, some users can remove those parameters and regain access to the original image.

You can "bake" a URL with operations applied to an image by saving a processed image version as a separate file. There are 3 ways to do this.

To prevent this, you can "bake" a URL with the operations applied to an image by saving a processed image version as a separate file or by signing existing URLs. There are three ways to do this.

Re-upload a new version

Use Upload API from_url method:

curl --request POST \
  --url https://upload.uploadcare.com/from_url/ \
  --header 'content-type: multipart/form-data' \
  --form pub_key={YOUR_PUBLIC_KEY} \
  --form source_url=https://ucarecdn.com/{:UUID}/-/{operation}/{param}/bash

Where:

The response will contain a token:

{
"type": "token",
"token": "945ebb27-1fd6-46c6-a859-b9893712d650"
}

The actual file UUID should be retrieved by calling the /from_url/status/ endpoint.

Create a copy

Use REST API local_copy operation:

curl --request POST \
  --url https://api.uploadcare.com/files/local_copy/ \
  --header 'Accept: application/vnd.uploadcare-v0.7+json' \
  --header 'Authorization: Uploadcare.Simple {YOUR_PUBLIC_KEY}:{YOUR_SECRET_KEY} \
  --header 'content-type: multipart/form-data' \
  --form source={:UUID}/-/{operation}/{param}/bash

Where:

  • {YOUR_PUBLIC_KEY} and {YOUR_SECRET_KEY} — get them from API keys.
  • {:UUID} — UUID of original image.
  • /{operation}/{param}/image processing operations that you need to bake in.

As a result, the processed version will be saved in the same project as a separate file, which you can safely use in your application. The URL has changed; it only contains a newly assigned UUID; no operations are present.

Signed URLs

Another way to protect URLs from modification is to use signed URLs. Just set the very long validity period (e.g., several years).

When using signed URLs, you do not need to create a copy of the file,

This method doesn't affect your storage volume and upload units. (You can monitor usage in the project's dashboard).

API integrations

You don't have to code most of the low-level API integrations. We have high-level libraries for all popular platforms:

Copying via from_url can be safely done on the front end using client-side JS libraries.