Documentation

Private assets and signed URLs

Keep files private by default and generate short-lived URLs only when a user should download them.

Try StackShiftRead the overview

Search Docs

Assets

Private assets and signed URLs

Live

Keep files private by default and generate short-lived URLs only when a user should download them.

Goal

Serve private files without making them publicly cacheable.

Current status

Live

This area is documented as current, user-reliable behavior.

Workflow

  1. 1Upload the file with visibility private.
  2. 2Store the returned asset ID in your database.
  3. 3Generate a signed URL when an authorized user needs access.
  4. 4Use maxDownloads for one-time downloads when appropriate.

Create a signed download URL

Example

ts
const signed = await stackshift.assets.signedUrl(asset.id, {
  expiresIn: '10m',
  maxDownloads: 1,
})

return signed.url

Expected result

Private assets are only downloadable with valid signed URLs and are returned with no-store cache headers.