Concepts
Signed URLs
Time-limited, method-scoped URLs for direct browser uploads and downloads.
Signed URLs let untrusted clients upload or download a single object without
your API key. Each URL is HMAC-signed and scoped to one method (GET or PUT),
one key, and an expiry — it cannot be replayed against another object or verb.
Issue a signed URL
const { url, expiresAt } = await storage.objects.createSignedUrl({
bucket: "avatars",
key: "users/42.png",
method: "PUT", // or "GET"
expiresIn: "15m", // "30s" | "15m" | "7d" | seconds
maxBytes: 5_000_000, // optional cap for uploads
});Use it (no API key)
// browser
await fetch(url, { method: "PUT", body: file });Signed URLs grant temporary access to exactly one object. Keep expiries short (minutes, not days) for uploads.
See the browser uploads guide for an end-to-end example.