Secure Uploading

Secure Uploading is a feature allowing you to implement access management in your file uploading workflows. It is available on any plan and works with both Uploadcare File Uploader and Upload API.

Switching to the Secure Uploading flow implies you have a backend-enabled product: uploading any file will require a token that should be generated on your end.

With Secure Uploading, you can control who and when can upload files to a certain Uploadcare project.

From here, you can continue reading to learn how to enable Secure Uploading, provide your engineering team with this reference to dig into or contact us in case you have any questions.

Let’s break down enabling Secure Uploading in four steps.

Switching to Secure Uploading in Your Project

A project is a separate environment that stores unique sets of keys and settings, including security options. Navigate to your Dashboard and pick an existing project or create a new one.

Then, go to “Secure Uploading” and hit “Enable.” This project will now require additional parameters provided in every request to Upload API: signature and expire. From here, your next step is choosing how you upload files: by making API requests or using our File Uploader.

Choosing Your Uploading Flow and Generate Signatures

Technically, the choice is about making API requests or configure an API client to do this for you. Uploadcare File Uploader is an Upload API client; on top of that, it adapts to your app’s layout and flow, allows uploading files from different sources like Social Media and Cloud Storage Providers, and provides tools to preview uploaded images and edit them in any browser.

No matter the flow you implement, you will need to generate signature and expire to either pass those as request parameters or file uploader options.

Once switched on in your project’s settings via our dashboard, this option requires an extra token sent to Upload API for your project to receive the upload. The extra token is called signature and is derived using the two params: secret_key and expire. And here is an example how you make it in python.

Making signature

signature is a string sent along with your upload request. It requires your Uploadcare project Secret Key and should be created on your back end.

The signature is an HMAC/SHA256 with an expire string as a message (expiration time) and secret_key as a key.

Here's how to make a signature in Python:

import time
import hashlib
import hmac

def generate_secure_signature(secret, expire):
    k, m = secret, str(expire).encode('utf-8')
    if not isinstance(k, (bytes, bytearray)):
        k = k.encode('utf-8')

    return, m, hashlib.sha256).hexdigest()

# Expire in 30 min, e.g., 1454903856
expire = int(time.time()) + 60 * 30

# Secret key of your project
secret = 'project_secret_key'

# Example result: '9890adc8886d27c93befed595abfbca514b7592a88e2f64dbddbea2d369a68dc'
signature = generate_secure_signature(secret, expire)

Making signature in NodeJS:

const crypto = require('crypto');

function generateSignature(secret, expire) {
  const hmac = crypto.createHmac('sha256', secret);
  return hmac.digest('hex');

// secret key
const secret = 'project_secret_key';

// define expiry (e.g. 120 seconds)
const expire = (Math.round( / 1000) + 120).toString();
const signature = generateSignature(secret, expire);

Making signature in Ruby:

require "openssl" # if necessary

def generate_signature(secret, expire_at)
OpenSSL::HMAC.hexdigest("SHA256", secret, expire_at.to_i.to_s)

secret = 'secret'
expire_at = + 60 * 2 # 2 minutes from now
generate_signature(secret, expire_at)

expire explained

The expire string sets the expiration date and time for a signature. It has a Unix time format (e.g., 1454903856). The expire function in the examples above includes a calculation from the moment of generation plus some duration. For example, 30 minutes.

Here's a signature expiration line of code in Python:

# Expire in 30 min, e.g., 1454903856
expire = int(time.time()) + 60 * 30

Secure Uploading example


curl -F "UPLOADCARE_PUB_KEY=caa9d29da887ee88ffe6" \
     -F "signature=46f70d2b4fb6196daeb2c16bf44a7f1e" \
     -F "expire=1454903856" \
     -F "file=@image.jpg" \


  "file": "c0d776d4-8c8e-47df-9e92-03b68b99c2ba"

Possible errors

If you enable Secure Uploading for one of your projects, then both signature and expire parameters are required for every upload request. Otherwise, you’ll receive one of the following errors:

[HTTP 400] 'signature' is required.
[HTTP 400] 'expire' is required.

If expire is not a valid Unix timestamp,

[HTTP 400] 'expire' must be a UNIX timestamp.

If your signature has expired, i.e., expire < now,

[HTTP 403] Expired signature.

If signature is incorrect,

[HTTP 403] Invalid signature.

Now that you know how to generate the parameters, it’s time for a hands-on.

Testing Secure Uploading

With Upload API, you make a request providing signature and expire. Don’t forget to specify your Public API Key in UPLOADCARE_PUB_KEY. We’ve got ready-made request and response examples here.

With Uploadcare File Uploader, your first step is configuring and installing it. Then you specify the Secure signature and Secure expire file uploader options.

Note, you will still be able to upload files to your project directly via the “Files” tab.