Upload sources for File Uploader

Our File Uploader supports 9 upload sources, including local file storage, web camera, external URL, cloud services, and social networks.

(If you’re looking for previous uploading widget upload sources, look here).

List of supported upload sources

To enable/disable different upload sources, refer to the File Uploader configuration.

You can upload multiple files, including a “select all” option.

Export data formats

Some cloud services, such as Google Drive, export document files as PDFs by default, but they can be exported as Word documents, PDFs or plain text.

You can define the behavior by setting preferred MIME types:

• Provide a list containing the MIME types preferred for export (see externalSourcesPreferredTypes parameter).
• Wildcards are allowed, e.g.: application/vnd.openxmlformats-officedocument.*.
• If no MIME types match the criteria or preferred types aren’t set, default formats are used.

Custom OAuth applications

End-users can upload files from various upload sources, such as Google Drive and Facebook. By default, Uploadcare requests access to these cloud services. This allows Uploadcare to see and download all files stored with this service.

With custom OAuth, you can set up your application icon, name, as well as Privacy Policy and Terms of Use.

This tutorial explains how to use OAuth 2.0 tokens for authorization and shows examples of OAuth connection.

OAuth 2.0 tokens for authorization

If you have integration with one of social networks or cloud services through OAuth 2 and want to reuse user’s token in the Uploadcare widget, you can use API for that:

1. First, you need to check that you request all permissions required for Uploadcare widget’s normal work. You can find the full list in the Required permissions section below.
2. It is only possible to set a token from the client. If you are using tokens only on the server side, you’ll need to temporarily transfer them to the client and send requests from the browser. Please, make sure that your site is served via HTTPS, otherwise, this is a huge security vulnerability.
3. If you are using custom OAuth apps, it will take some extra work to make everything work together.
4. You will need to send GET request to the following URL: https://social.uploadcare.com/[storage_key]/set_keys. For what is [storage_key], see the Storage key section below.

You’ll need to send the following information through query string:

• public_key — required. The public key of your Uploadcare project.
• access_token — required. The access token issued by the authorization server.
• token_type — required. The type of the token issued by the authorization server. In most cases, it is Bearer.
• refresh_token — optional. The refresh token, which can be used to get new access tokens using the same authorization grant.

The request can be sent at any time. The best moment is when the user is logged in to your site through OAuth 2.0. But if you already have a lot of logged in users, you may need to send this request on a page load.

Note that for security reasons, it is not possible to use tokens from the widget in your apps. You can only expose your keys to Uploadcare.

Storage key explanation

The storage key is a part of a URL, which you (and Uploadcare widget) use for communication with social services. In simple cases, this is the service name. For example: box, facebook, dropbox, and gdrive.

But if you are using custom OAuth apps for your project, these keys will be different. The easiest way to find out the right storage key is to look for it in the browser’s developer panel. Open the widget on the tab you are interested in and find the request to social.uploadcare.com.

Required permissions

Some of the services need extra permissions to work with Uploadcare.

Full list of permissions:

• Facebook: user_photos, user_videos
• Google Drive: https://www.googleapis.com/auth/drive.readonly
• OneDrive: wl.offline_access

Revoke OAuth access

File Uploader and jQuery File Uploader version v3.17.0 (and later) allows you to revoke OAuth access to the content of connected accounts (Dropbox, Facebook, etc.) using the remoteTabSessionKey and remoteTabSessionKey parameter respectively.

A two-part key is used to encrypt the OAuth token, consisting of a secret and an end-user part. The secret part is stored with Uploadcare, and the end-user part of the key is passed through remoteTabSessionKey.

When an end-user enters the host application and logs in to one of the available accounts (Dropbox, Facebook, etc.), a new end-user part of the key should be generated.

When the end-user logs out of the host application, the host application should lose information about the end-user part of the key.

Since the end-user part of the key will be different for each session, the end-user will have to re-login to the account inside the host application. The end-user part of the key must not match the end-user’s id, e-mail, or other repeatable information. It’s recommended to use a 6-8 characters string to sign an end-user part of the key.

This feature is useful when several end-users have access to the same device. Assume that the OAuth application is not configured with remoteTabSessionKey. In this case, it is possible that the end-user logs out of the application but remains logged into the Uploadcare widget, i.e., another end-user of the host application can log into the previous user’s open session on the same device.

Examples

Google Drive

1. Open Google Developers Console.
2. Click Create Project.
3. Think up a name for your project. For example, your site or application name.
4. Go to API Manager, search for Drive API and enable it.

5. Go to API Manager → Credentials and add OAuth 2.0 client ID.

6. Choose Web application and add the following URL as Authorized redirect URIs: https://social.uploadcare.com/gdrive/endpoint
7. Copy the client ID and client secret keys.
8. Go to Dashboard, open the Custom OAuth apps page, select Google Drive and fill in the App key and App secret fields with the keys you got from Google. Click Save Keys.

Dropbox

1. Open Dropbox App Console.
2. Click Create app.
3. Choose Dropbox API.
4. Choose Full Dropbox — Access to all files and folders in a user’s Dropbox.
5. Think up a name for your app. For example, your site or application name.
6. Click Create app. The new application will be created.
7. On the settings page of the app, add the following URI to the Redirect URIs field: https://social.uploadcare.com/dropbox/endpoint.
8. Before connecting the app, you need to increase users limit, to do this click Enable additional users.
9. Find App key and App secret and copy them.
10. Go to Dashboard, open the Custom OAuth apps page in project settings, select Dropbox and fill in the App key and App secret fields with the keys you got from Dropbox. Click Save Keys.
11. Now you can test your app. In the widget, try to connect Dropbox. If everything is done right, you will see the request from your app.
12. After that, you will need to apply the app for production. Go back to the app settings page and click Apply for production. Follow the instructions to send the request.

Facebook

Before you start:

• A phone-verified Facebook Developer account at developers.facebook.com.
• A publicly accessible privacy policy URL and user data deletion instructions URL — Meta requires both before App Review.
• A Meta business portfolio. Most apps requesting access to user data require Business Verification before going live.

1. Go to Meta for Developers and click Create app.

2. Enter an App name and App contact email. Under Use cases, select Authenticate and request data from users with Facebook Login. Click Create app.

3. In the left menu, open Use cases → Customize and add the permissions your integration needs: user_photos to import photos, user_videos to import videos. Only request what you actually use — unnecessary permissions are a common reason for App Review rejection.

4. Open Use Cases → Customize → Settings and add the redirect URI. If you have a CNAME for the social endpoint, use it: https://your-domain.com/facebook/endpoint. Otherwise, use the default: https://social.uploadcare.com/facebook/endpoint. Click Save changes.

5. Open Settings → Basic and fill in: App domains (social.uploadcare.com or your custom domain), Category, App icon (1024×1024 PNG, no Meta trademarks), Privacy policy URL, and User data deletion instructions URL. Click Save changes. Filling in the remaining optional fields (description, tagline, support contacts) is recommended — a complete profile improves your chances during App Review.

6. Copy the App ID and App Secret from the Basic settings page.

   The App Secret is sensitive — never commit it to source control, share it in plaintext, or expose it client-side.

7. Go to Dashboard, open Project → Settings → Custom OAuth → Facebook, enter the App ID and App Secret. Click Add.

8. Test the Facebook auth flow in Development mode. Make at least one successful API call per requested permission within 30 days of submitting for App Review — Meta requires this and reviewers will check for it.

9. Submit for App Review. Go to App Review → Requests and start a new submission. For each permission, provide a use-case description and a screencast showing the full flow: initial login, the Facebook consent dialog, and how the data is used in your product. Record at 1440px width or less. See Meta’s App Review documentation for full requirements.

10. After your app passes review, open the App Dashboard and toggle the app status from Development to Live.

Box

1. Open Box Applications list.
2. Click Create a Box Application.
3. Think up a name for your application. For example, your site or application name.
4. Select Box Content.
5. Set the following URL as redirect_uri in the project settings and select Read and write all files and folders: https://social.uploadcare.com/box/endpoint. Note that all other boxes of the Scope section must be unmarked.
6. At the bottom of the form, Click Save Application.
7. Go to Dashboard, open the Custom OAuth apps page, select Box and fill in the App key and App secret fields with the keys you got from Box. Click Save Keys.