Getting started
Authentication
Public API routes authenticate with a Bearer API key. API keys are created in the dashboard.
Authorization header
Authorization: Bearer ru_xxxxxxxxAPI keys are created in the dashboard. The full key is shown once; store it securely on your server.
Permissions
Each key has one or more permissions:
files.read— get upload session status, whoamifiles.write— create sessions, complete uploads, cancelfiles.delete— delete files viaDELETE /files/:fileId
Project scope
Keys are scoped to a workspace and either specific projects or all projects you selected when creating the key. Use GET /public/whoami to list projects your key can access (each with id, name, and uploadCorsOrigins when configured for CDN client uploads).
Whoami
GET /public/whoami requires files.read. Example response:
{
"apiKeyId": "uuid",
"workspaceId": "uuid",
"name": "Production key",
"permissions": ["files.read", "files.write"],
"allProjects": false,
"projects": [
{
"id": "uuid",
"name": "Production",
"uploadCorsOrigins": ["https://app.example.com"]
}
]
}curl -s 'https://api.reupload.dev/api/v1/public/whoami' \
-H 'Authorization: Bearer ru_your_api_key_here'Rate limits
Upload session creation is limited per API key (per minute, by plan). Other routes share a general API-key rate limit. Exceeded limits return 429 RATE_LIMITED.
Security
Never embed API keys in mobile apps or front-end JavaScript. Call Reupload from your backend, or issue short-lived tokens from your own auth layer if you add that pattern later.