Skip to content
dropkit

Private files

By default every dropkit file is public: anyone with the URL (or the ID) can read it. That’s the right behavior for user avatars, blog media, marketing assets.

When it isn’t, mark the upload private. The CDN will 404 every request unless the URL carries a valid signature.

Upload as private

SDK

import { upload } from '@dropkit/sdk';


const { data } = await upload(file, {
  key: 'sk_live_...',
  visibility: 'private',
});
// data.url still looks like https://cdn.dropkit.app/<id>
// but it will 404 without a signed URL.

REST, multipart

Terminal window
curl -X POST https://api.dropkit.app/v1/upload \
  -H "authorization: Bearer sk_live_..." \
  -F "file=@./invoice.pdf" \
  -F "visibility=private"

REST, header

Terminal window
curl -X POST https://api.dropkit.app/v1/upload \
  -H "authorization: Bearer sk_live_..." \
  -H "x-visibility: private" \
  -H "content-type: application/pdf" \
  --data-binary @./invoice.pdf

Mint a signed URL

SDK

import { signFileUrl } from '@dropkit/sdk';


const { data } = await signFileUrl('abc123', {
  key: 'sk_live_...',
  expiresIn: 3600, // 1 hour; default 3600, max 604800 (7 days)
});
// data.url: https://cdn.dropkit.app/abc123?exp=1234&sig=...

REST

Terminal window
curl -X POST https://api.dropkit.app/v1/files/abc123/sign \
  -H "authorization: Bearer sk_live_..." \
  -H "content-type: application/json" \
  -d '{"expiresIn": 3600}'
{ "url": "https://cdn.dropkit.app/abc123?exp=...&sig=...", "expiresAt": 1777... }

Signed URL with image transform

Need a thumbnail of a private image? Pass transform to bake the resize params into the URL. The CDN applies them on read, so the URL works as an <img src>.

SDK

const { data } = await signFileUrl('abc123', {
  key: 'sk_live_...',
  transform: { w: 200, h: 200, fit: 'cover', format: 'webp' },
});
// data.url: https://cdn.dropkit.app/abc123?w=200&h=200&fit=cover&format=webp&exp=...&sig=...

REST

Terminal window
curl -X POST https://api.dropkit.app/v1/files/abc123/sign \
  -H "authorization: Bearer sk_live_..." \
  -H "content-type: application/json" \
  -d '{"expiresIn": 3600, "transform": {"w": 200, "h": 200, "fit": "cover", "format": "webp"}}'

The signature only covers fileId.exp, so you can also append &w=...&fit=... to an existing signed URL after the fact. Use &, not ?. The URL already has a query string.

How it works

  • Each project has a signing secret (minted lazily on first private upload or first sign call).
  • A signed URL is https://cdn.dropkit.app/<id>?exp=<unix-seconds>&sig=<hex> where the signature is HMAC_SHA256(projectSecret, "<fileId>.<exp>") hex-encoded.
  • The CDN verifies the signature on every request. Expired URLs and tampered signatures both return 404.

Toggling existing files

Dashboard: Files tab, “Make private” / “Make public” per file.

REST: not exposed yet. If you need it programmatically, open an issue.