Data Types

Generating JWTs

The Upload API and Upload CDN support JWT-based authorization for API requests and file downloads, respectively.

Create an API endpoint

To use JWTs with Upload, you must first create a backend API endpoint that issues JWTs:

  1. Create a private/public RSA key pair:

    ssh-keygen -t rsa -b 4096 -m PEM -f jwt_rs256.key -q -N ""
    openssl rsa -in jwt_rs256.key -pubout -outform PEM \
    cat jwt_rs256.key
  2. Add the public key certificate to your account via the JWT Certificates page.

  3. Make sure your backend API has access to the private key.

  4. Add a new endpoint to your backend API:

    • HTTP verb: GET

    • Path: anything

    • Status code: 200

    • Response content-type: text/plain

    • Response body: an encoded JWT (e.g. eyJhbGci1NiJ9.e35gDeaAu...)

      • The JWT must be signed using the private key from step (1) with the RS256 algorithm.

      • The JWT payload structure must be: UploadJwt

JWT Payload Structure

An example JWT payload is shown below.

In this example, the requester has been granted read/write access to all files within the /users/user-xyz folder (non-recursively):

"exp": 1615680311,
"iat": 1615680311,
"sub": "user-xyz",
"access": {
"pathPermissions": [
"match": {
"path": "/users/user-xyz",
"scope": "Children"
"permissions": {
"read": {
"file": {
"downloadFile": [ "*" ],
"getFileDetails": true
"write": {
"file": {
"createFile": true,
"deleteFile": true,
"overwriteFile": true
"tagPermissions": {
"write": [ "*" ]

To define recursive permissions, add another element to the pathPermissions array with "scope": "Grandchildren+" (see: PathPattern).

For all path permissions, see: UploadJwt

Was this section helpful? Yes No

You are using an outdated browser.

This website requires a modern web browser -- the latest versions of these browsers are supported: