Projects settings

The Uploadcare experience is centered around the concept of a project. Projects are separate environments with unique sets of API keys, dedicated storage, and settings.

For instance, you could use one project to receive user-generated content, another for implementing advanced security features, and a third one to serve your frontend assets. It's best to have both test and production environments, hence projects.

Note that your projects depend on your account billing limits. Hence, if a project is created by an account on the free plan, it will have the limits of the free plan, whether or not there is a paid plan team member. Other account settings can be found here.

API keys

We provide two kinds of API keys: public and secret. Depending on which Uploadcare features you want to use, you will implement either your public key or a key pair.

Public API key

The main use of a public_key is to identify a target project for your uploads. It is required when using Upload API or its clients, such as the File uploader.

Secret API keys

A secret_key is required when using our REST API to manage files within a project or when signing uploads. You can add multiple secret API keys to a single Uploadcare project to ensure extended control options over your environments.

Storage

Automatic file storing

By default, Upload API doesn't store the files forever. There is a 24-hour window when you should decide whether to store uploaded files or not. Note that all of our official libraries, including File uploader, inherit the auto-store setting from your project, where it's set to ON by default.

Custom Amazon S3 Bucket Storage

You can connect one or more Amazon S3 buckets to your project. Then files uploaded to the project can be copied to your bucket automatically or with the REST API.

Configure uploading, Storage, Connect S3 bucket
Configure uploading, Storage, Connect S3 bucket

Note that when using the S3 bucket, CDN Uploadcare features are only available via Proxy.

Configure backups

You can have all your stored files to be copied to a custom S3 bucket automatically. Connect the storage once, and the system will do backups on a timely basis.

Validation

File types

You can set up a project to only upload certain types of files. By default, all MIME file types can be uploaded to the project.

You can validate uploads by allowing only specific file types:

  • audio
  • documents
  • fonts
  • images
  • video

Maximum file size

You can set the maximum file size accepted by API up to 5TB (5242880 MB).

Secure uploading

Signed uploads

A feature to control who can upload files to an Uploadcare project within your account. Your backend generates a signature using a Secret Key and includes an expiration time parameter. A client is required to include a valid signature in an upload request. It works with Uploadcare File Uploader and Upload API.

Malware protection

Uploadcare automatically detects infected or malicious files, preventing your users from uploading them and helping you avoid distributing such files. Turning Malware protection on will make sure your app is secure and compliant. All files are checked by ClamAV (open-source antivirus engine).

Uploading whitelabeling

Custom OAuth applications

With File uploader, end-users can upload files from various upload sources, such as Google Drive and Facebook. By default, Uploadcare requests access to these cloud services. This allows Uploadcare to see and download all files stored with this service.

With custom OAuth, you can set up your application icon, name, as well as Privacy Policy and Terms of Use.

Configure uploading, Whitelabeling, Custom OAuth
Configure uploading, Whitelabeling, Custom OAuth

Check out OAuth connection examples.

Widget version v3.17.0 (and later) allows you to revoke OAuth access to the content of connected accounts (Dropbox, Facebook, etc.) using the remoteTabSessionKey parameter.

A two-part key is used to encrypt the OAuth token, consisting of a secret and an end-user part. The secret part is stored with Uploadcare, and the end-user part of the key is passed through remoteTabSessionKey.

When an end-user enters the host application and logs in to one of the available accounts (Dropbox, Facebook, etc.), a new end-user part of the key should be generated.

When the end-user logs out of the host application, the host application should lose information about the end-user part of the key.

Since the end-user part of the key will be different for each session, the end-user will have to re-login to the account inside the host application. The end-user part of the key must not match the end-user's id, e-mail, or other repeatable information. It's recommended to use a 6-8 characters string to sign an end-user part of the key.

This feature is useful when several end-users have access to the same device. Assume that the OAuth application is not configured with remoteTabSessionKey. In this case, it is possible that the end-user logs out of the application but remains logged into the Uploadcare widget, i.e., another end-user of the host application can log into the previous user's open session on the same device.

Custom uploading CNAME

Use your own domain name for Upload API and source endpoints. E.g., upload.mydomain.com and social.mydomain.com instead of upload.uploadcare.com and social.uploadcare.com. Can be shared between several projects.

Secure delivery

Search engine indexing

Restrict search engines to analyze and index content in your project for global search: image and text.

Signed URLs

This security feature lets you control who and for how long can access files in your project via signed URLs. In other words, it's a CDN URL with a signature generated on your backend (similar to Secure Uploading). This feature works in conjunction with a Custom CNAME.

Allowed domains

An option that allows uploading images from the domains you trust when using Proxy and Adaptive delivery. This can help you build a more secure and closed system for end users. Each project has its own Whitelist.

Delivery whitelabeling

Custom CDN CNAME

Use your own domain for CDN links to your files stored with Uploadcare. By default, all file URLs use ucarecdn.com domain. By setting a Custom CNAME, the file URLs can use cdn.mycompany.com instead.

Proxy endpoint

A Proxy Endpoint is a URL prefix that goes before the original link to the file on your domain. For example https://yoursite.ucr.io/https://yoursite.com/assets/image.jpg. This will deliver image.jpg file using Uploadcare CDN.

Webhooks

Uploadcare provides an option to automatically send notifications when a file is uploaded to a public URL of your choosing (webhooks). Each webhook payload can be signed with a secret to ensure that the request comes from the expected sender. The resulting signature is included in the request header, so you can use it to validate that the request comes from Uploadcare.

API, Webhooks
API, Webhooks

Team

The account owner can add collaborators to their projects. Collaborators:

  • Have full access to project files.
  • Have access to this project's settings (including secret keys).
  • Can't invite new users to the project.
  • Can't delete the project. Only the project owner can do that.
  • Don't have access to the payment settings for that project.

If the invited user doesn't have an Uploadcare account, they will be redirected to the signup page (they should use the same email address to which they were invited). The invitation link is valid for 24 hours.