Using Secret Keys instead of Policies and Signatures

When you have security enabled all requests either to the javascript API or to our REST APIs require authorization. This is normally achieved through our policy and signature system. However, it is also possible to authorize your REST requests without a policy and signature by passing a secret key. This method is a little more risky, because you run the risk of exposing your secret key used to secure your account. We recommend using this only in server side processes that are not exposed to your customers.

The secret key information can be passed in two different ways:


  1. The request includes a "user", which is the word "app" and a "password" which is the "App Secret" that can be found in the Security section of the developer portal under App Secret
  2. User and Password example:

    >>> curl -u "app:TN6MAIP4XZHLFLX7RO2D77X4JU" -X DELETE 'http://www.filestackapi.com/api/file/**HANDLE**?key=APIKEY'

  3. The request is accompanied by a base64 string containing the "App Secret" that can be found in the Security section of the developer portal under App Secret. The header string to be base64 encoded should look like this: 'app:TN6MAIP4XZHLFLX7RO2D77X4JU'. If you encode this at https://www.base64encode.org/ for example, you should receive: 'YXBwOlRONk1BSVA0WFpITEZMWDdSTzJENzdYNEpV'
  4. Basic Access Authentication example:

    >>> curl -H "Authorization: Basic YXBwOlRONk1BSVA0WFpITEZMWDdSTzJENzdYNEpV" -X DELETE 'http://www.filestackapi.com/api/file/**HANDLE**?key=APIKEY'