Product
File Intake
File Intake gives your users a hosted upload page at /i/{slug} on your Reupload dashboard domain. You configure the destination project, folder path, labeled upload fields (each with its own file types and limits), and optional access controls in dashboard — no API key is exposed to browsers visiting the intake page.
How it works
- Create and activate an intake in the dashboard (or via workspace API).
- Share the hosted URL with uploaders.
- Uploaders pass any gate (password, email OTP, or none), upload files directly to the CDN, then finalize the submission.
- Files land in your project under the configured folder path with
uploaded_via = intake. - If a webhook is linked, Reupload delivers
intake.completedwith file metadata (see Webhooks).
Access modes
- Public — anyone with the link can start a submission.
- Password — verify password before upload sessions are issued.
- Email verification — one-time code sent to an allowlisted email before upload. Configure
allowedEmailson create/update (1–50 addresses); OTP is only sent to those addresses. The public metadata endpoint does not expose the allowlist. - One-time — intake moves to
completedafter the first successful finalize; the link cannot be reused.
Upload fields
Each intake defines an ordered list of upload fields stored as uploadFields on create/update. Every field has:
id,key(stable slug for storage paths),label, optionaldescriptionrequired(default true),maxFiles(default 1, max 10)allowedCategories— same categories as the dashboard picker (image, document, video, audio, archive, code)
Public metadata returns uploadFields (no intake-wide category list). When creating an upload session, pass fieldId with the filename, content type, and size. Files are stored under {folderPath}/{fieldKey}/{filename}. Finalize succeeds when every required field has at least one completed file; optional fields may be empty.
Workspace API (dashboard auth)
Intake management uses session-authenticated routes under /api/v1/workspaces/:workspaceId/intakes (create, list, update, activate, disable, delete). Permissions: intake:view, intake:manage.
For accessMode: email_verify, include allowedEmails (array of email strings, max 50). At least one email is required when activating on create or via the activate endpoint. List uploaded files includes submitterEmail per file (from the verified submission).
Share link via email (active intakes only, requires intake:manage):
POST /:workspaceId/intakes/:intakeId/share-link— body{ "emails": ["[email protected]"] }(1–20 addresses). Sends a branded email with the hosted URL via Resend. Returnssent,skipped(email + reason), andfailed(email + message) arrays. Each attempt is logged.GET /:workspaceId/intakes/:intakeId/share-logs— paginated share history (intake:view): recipient, status (sent|failed|skipped), sender, timestamp, optional error note.
For accessMode: email_verify, only recipients on allowedEmails receive mail; other addresses are not sent and appear as skippedwith reason "Not on allowed list for this intake."
Public API (hosted page)
Unauthenticated routes under /api/v1/intake/:slug power the hosted UI:
GET— metadata (name,uploadFields, max file size, branding, status)POST /submissions— start a submission (public / one-time)POST /verify-password,/request-email-otp,/verify-email-otp— gates- With
Authorization: Bearer <submissionToken>: create, complete, cancel upload sessions; finalize submission
Upload sessions reuse the same CDN PUT flow as dashboard uploads. Ensure INTAKE_PUBLIC_BASE_URL is included in your upload CORS allowlist in production.
Webhook: intake.completed
Subscribe a dashboard webhook to intake.completed with source intake. Example payload data:
{
"intakeId": "uuid",
"intakeSlug": "abc12def",
"submissionId": "uuid",
"workspaceId": "uuid",
"projectId": "uuid",
"folderPath": "uploads/invoices",
"completedAt": "2026-06-04T12:00:00.000Z",
"submitter": { "email": "[email protected]" },
"files": [
{
"fileId": "uuid",
"projectId": "uuid",
"path": "projects/uuid/files/uuid/invoice.pdf",
"name": "invoice.pdf",
"mimeType": "application/pdf",
"sizeBytes": 120000,
"url": "https://cdn.example.com/...",
"urlExpiresAt": null,
"isPublic": false,
"fieldId": "uuid",
"fieldKey": "logo",
"fieldLabel": "Company logo"
}
]
}submitter is present only when email verification was used. Verify Reupload-Signature the same way as file webhooks.
Security recommendations
- Use password or email verification for sensitive collections; for email verification, configure
allowedEmailsso only known addresses receive OTP codes. - Set expiry presets (24h / 7d) for time-bound campaigns.
- Disable or delete intakes when a link is compromised (slug rotation is not supported in v1).
- Rate limits apply per IP on public endpoints; monitor upload rejections.