Projects settings

The Uploadcare experience is centered around the concept of a project. Projects are separate environments with unique sets of API keys, dedicated storage, and settings.

For instance, you could use one project to receive user-generated content, another for implementing advanced security features, and a third one to serve your frontend assets. It's best to have both test and production environments, hence projects.

Note that your projects depend on your account billing limits. Hence, if a project is created by an account on the free plan, it will have the limits of the free plan, whether or not there is a paid plan team member. Other account settings can be found here.

API keys

We provide two kinds of API keys: public and secret. Depending on which Uploadcare features you want to use, you will implement either your public key or a key pair.

Public API key

The main use of a YOUR_PUBLIC_KEY is to identify a target project for your uploads. It is required when using Upload API or its clients, such as the File uploader.

Secret API keys

A YOUR_SECRET_KEY is required when using our REST API to manage files within a project or when signing uploads. You can add multiple secret API keys to a single Uploadcare project to ensure extended control options over your environments.


Configure your storage options in the Storage section.

Automatic file storing

By default, Upload API doesn't store the files forever. There is a 24-hour window when you should decide whether to store uploaded files or not. Note that all of our official libraries, including File uploader, inherit the auto-store setting from your project, where it's set to ON by default.

Custom Amazon S3 Bucket Storage

You can connect one or more Amazon S3 buckets to your project. Then files uploaded to the project can be copied to your bucket automatically or with the REST API.

Configure uploading, Storage, Connect S3 bucket
Configure uploading, Storage, Connect S3 bucket

Note that when using the S3 bucket, CDN Uploadcare features are only available via Proxy.

Configure backups

You can have all your stored files to be copied to a custom S3 bucket automatically. Connect the storage once, and the system will do backups on a timely basis.

Secure uploading

Configure your secure uploading options in the Security section.

Signed uploads

A feature to control who can upload files to an Uploadcare project within your account. Your backend generates a signature using a Secret Key and includes an expiration time parameter. A client is required to include a valid signature in an upload request. It works with Uploadcare File Uploader and Upload API.

Uploading whitelabeling

Configure your uploading whitelabeling options in the Whitelabeling section.

Custom OAuth applications

With File uploader, end-users can upload files from various upload sources, such as Google Drive and Facebook. By default, Uploadcare requests access to these cloud services. This allows Uploadcare to see and download all files stored with this service.

With custom OAuth, you can set up your application icon, name, as well as Privacy Policy and Terms of Use.

Configure uploading, Whitelabeling, Custom OAuth
Configure uploading, Whitelabeling, Custom OAuth

Check out OAuth connection examples.

Widget version v3.17.0 (and later) allows you to revoke OAuth access to the content of connected accounts (Dropbox, Facebook, etc.) using the remoteTabSessionKey parameter.

A two-part key is used to encrypt the OAuth token, consisting of a secret and an end-user part. The secret part is stored with Uploadcare, and the end-user part of the key is passed through remoteTabSessionKey.

When an end-user enters the host application and logs in to one of the available accounts (Dropbox, Facebook, etc.), a new end-user part of the key should be generated.

When the end-user logs out of the host application, the host application should lose information about the end-user part of the key.

Since the end-user part of the key will be different for each session, the end-user will have to re-login to the account inside the host application. The end-user part of the key must not match the end-user's id, e-mail, or other repeatable information. It's recommended to use a 6-8 characters string to sign an end-user part of the key.

This feature is useful when several end-users have access to the same device. Assume that the OAuth application is not configured with remoteTabSessionKey. In this case, it is possible that the end-user logs out of the application but remains logged into the Uploadcare widget, i.e., another end-user of the host application can log into the previous user's open session on the same device.

Custom uploading CNAME

Use your own domain name for Upload API and source endpoints. E.g., and instead of and Can be shared between several projects.

Secure delivery

Configure your secure delivery options in the Security section.

Search engine indexing

Restrict search engines to analyze and index content in your project for global search: image and text.

Signed URLs

This security feature lets you control who and for how long can access files in your project via signed URLs. In other words, it's a CDN URL with a signature generated on your backend (similar to signed uploads). This feature works in conjunction with a Custom CNAME.

Allowed domains

An option that allows uploading images from the domains you trust when using Proxy and Adaptive delivery. This can help you build a more secure and closed system for end users. Each project has its own Whitelist.

Delivery whitelabeling

Configure your delivery whitelabeling options in the Whitelabeling section.


Use your own domain for CDN links to your files stored with Uploadcare. By default, all file URLs use domain. By setting a Custom CNAME, the file URLs can use instead.

Proxy endpoint

A Proxy Endpoint is a URL prefix that goes before the original link to the file on your domain. For example This will deliver image.jpg file using Uploadcare CDN.


Uploadcare provides an option to automatically send notifications when a file is uploaded to a public URL of your choosing webhooks.

Configure your webhooks in the Webhooks page.

API, Webhooks
API, Webhooks

Each webhook payload can be signed with a secret to ensure that the request comes from the expected sender. The resulting signature is included in the request header, so you can use it to validate that the request comes from Uploadcare.


The account owner can add collaborators to their projects. Collaborators:

  • Have full access to project files.
  • Have access to this project's settings (including secret keys).
  • Can't invite new users to the project.
  • Can't delete the project. Only the project owner can do that.
  • Don't have access to the payment settings for that project.

If the invited user doesn't have an Uploadcare account, they will be redirected to the signup page (they should use the same email address to which they were invited). The invitation link is valid for 24 hours.

Configure your team in the Team section.