The Uploadcare experience is centered around the concept of a project. Projects are separate environments with unique sets of API keys, dedicated storage, and settings.
For instance, you could use one project to receive user-generated content, another for implementing advanced security features, and a third one to serve your frontend assets. It's best to have both test and production environments, hence projects.
Note that your projects depend on your account billing limits. Hence, if a project is created by an account on the free plan, it will have the limits of the free plan, whether or not there is a paid plan team member. Other account settings can be found here.
We provide two kinds of API keys: public and secret. Depending on which Uploadcare features you want to use, you will implement either your public key or a key pair.
secret_key is required when using our REST API
to manage files within a project or when
signing uploads. You can add multiple
secret API keys to a single Uploadcare project to ensure extended control
options over your environments.
By default, Upload API doesn't store the files forever. There is a 24-hour window when you should decide whether to store uploaded files or not. Note that all of our official libraries, including File uploader, inherit the auto-store setting from your project, where it's set to ON by default.
You can connect one or more Amazon S3 buckets to your project. Then files uploaded to the project can be copied to your bucket automatically or with the REST API.
Note that when using the S3 bucket, CDN Uploadcare features are only available via Proxy.
You can have all your stored files to be copied to a custom S3 bucket automatically. Connect the storage once, and the system will do backups on a timely basis.
You can set up a project to only upload certain types of files. By default, all MIME file types can be uploaded to the project.
You can validate uploads by allowing only specific file types:
You can set the maximum file size accepted by API up to 5TB (5242880 MB).
A feature to control who can upload files to an Uploadcare project within your account. Your backend generates a signature using a Secret Key and includes an expiration time parameter. A client is required to include a valid signature in an upload request. It works with Uploadcare File Uploader and Upload API.
Uploadcare automatically detects infected or malicious files, preventing your users from uploading them and helping you avoid distributing such files. Turning Malware protection on will make sure your app is secure and compliant. All files are checked by ClamAV (open-source antivirus engine).
With File uploader, end-users can upload files from various upload sources, such as Google Drive and Facebook. By default, Uploadcare requests access to these cloud services. This allows Uploadcare to see and download all files stored with this service.
Check out OAuth connection examples.
A two-part key is used to encrypt the OAuth token, consisting of a secret and
an end-user part. The secret part is stored with Uploadcare, and the end-user
part of the key is passed through
When an end-user enters the host application and logs in to one of the available accounts (Dropbox, Facebook, etc.), a new end-user part of the key should be generated.
When the end-user logs out of the host application, the host application should lose information about the end-user part of the key.
Since the end-user part of the key will be different for each session, the end-user will have to re-login to the account inside the host application. The end-user part of the key must not match the end-user's id, e-mail, or other repeatable information. It's recommended to use a 6-8 characters string to sign an end-user part of the key.
This feature is useful when several end-users have access to the same device.
Assume that the OAuth application is not configured with
In this case, it is possible that the end-user logs out of the application
but remains logged into the Uploadcare widget, i.e., another end-user of the
host application can log into the previous user's open session on the same
Use your own domain name for Upload API and source endpoints. E.g.,
upload.mydomain.com and social.mydomain.com instead of
social.uploadcare.com. Can be shared between several projects.
Restrict search engines to analyze and index content in your project for global search: image and text.
This security feature lets you control who and for how long can access files in your project via signed URLs. In other words, it's a CDN URL with a signature generated on your backend (similar to Secure Uploading). This feature works in conjunction with a Custom CNAME.
An option that allows uploading images from the domains you trust when using Proxy and Adaptive delivery. This can help you build a more secure and closed system for end users. Each project has its own Whitelist.
Use your own domain for CDN links to your files stored with Uploadcare.
By default, all file URLs use
ucarecdn.com domain. By setting a Custom CNAME,
the file URLs can use
A Proxy Endpoint is a URL prefix that goes before the original link
to the file on your domain. For example
This will deliver image.jpg file using Uploadcare CDN.
Uploadcare provides an option to automatically send notifications when a file is uploaded to a public URL of your choosing (webhooks). Each webhook payload can be signed with a secret to ensure that the request comes from the expected sender. The resulting signature is included in the request header, so you can use it to validate that the request comes from Uploadcare.
The account owner can add collaborators to their projects. Collaborators:
- Have full access to project files.
- Have access to this project's settings (including secret keys).
- Can't invite new users to the project.
- Can't delete the project. Only the project owner can do that.
- Don't have access to the payment settings for that project.
If the invited user doesn't have an Uploadcare account, they will be redirected to the signup page (they should use the same email address to which they were invited). The invitation link is valid for 24 hours.