Zeptoz

Appearance

Files API

Endpoints

  • POST /api/files
  • GET /api/files/{id}
  • DELETE /api/files/{id}

All files endpoints require authentication.

Upload

bash
curl -s -X POST http://127.0.0.1:3000/api/files \
  -H 'Authorization: Bearer <token>' \
  -F file=@./avatar.png

Upload behavior:

  • Expects multipart form with one file field.
  • Max size: 10 MB.
  • Stores metadata: id, owner_id, mime_type, size, checksum.

Download

bash
curl -s http://127.0.0.1:3000/api/files/1 \
  -H 'Authorization: Bearer <token>' \
  --output out.bin

Returns raw bytes with Content-Type from stored mime_type.

Delete

bash
curl -s -X DELETE http://127.0.0.1:3000/api/files/1 \
  -H 'Authorization: Bearer <token>'

Access policy:

  • owner and admin can access any file.
  • Other users can access only files they own.

Storage path traversal is blocked by runtime checks.