Vault
Concepts

Signed URLs

Time-limited, method-scoped URLs for direct browser uploads and downloads.

Signed URLs let untrusted clients upload or download a single object without your API key. Each URL is HMAC-signed and scoped to one method (GET or PUT), one key, and an expiry — it cannot be replayed against another object or verb.

Issue a signed URL

const { url, expiresAt } = await storage.objects.createSignedUrl({
  bucket: "avatars",
  key: "users/42.png",
  method: "PUT",        // or "GET"
  expiresIn: "15m",     // "30s" | "15m" | "7d" | seconds
  maxBytes: 5_000_000,  // optional cap for uploads
});

Use it (no API key)

// browser
await fetch(url, { method: "PUT", body: file });

Signed URLs grant temporary access to exactly one object. Keep expiries short (minutes, not days) for uploads.

See the browser uploads guide for an end-to-end example.

On this page