Getting started

Authentication

Public API routes authenticate with a Bearer API key. API keys are created in the dashboard.

Authorization header

Authorization
Authorization: Bearer ru_xxxxxxxx

API keys are created in the dashboard. The full key is shown once; store it securely on your server.

Permissions

Each key has one or more permissions:

  • files.read — get upload session status, whoami
  • files.write — create sessions, complete uploads, cancel
  • files.delete — delete files via DELETE /files/:fileId

Project scope

Keys are scoped to a workspace and either specific projects or all projects you selected when creating the key. Use GET /public/whoami to list projects your key can access (each with id, name, and uploadCorsOrigins when configured for CDN client uploads).

Whoami

GET /public/whoami requires files.read. Example response:

whoami response
{
  "apiKeyId": "uuid",
  "workspaceId": "uuid",
  "name": "Production key",
  "permissions": ["files.read", "files.write"],
  "allProjects": false,
  "projects": [
    {
      "id": "uuid",
      "name": "Production",
      "uploadCorsOrigins": ["https://app.example.com"]
    }
  ]
}
Request
curl -s 'https://api.reupload.dev/api/v1/public/whoami' \
  -H 'Authorization: Bearer ru_your_api_key_here'

Rate limits

Upload session creation is limited per API key (per minute, by plan). Other routes share a general API-key rate limit. Exceeded limits return 429 RATE_LIMITED.

Security

Never embed API keys in mobile apps or front-end JavaScript. Call Reupload from your backend, or issue short-lived tokens from your own auth layer if you add that pattern later.