UploadKit
API Reference

Authentication

API key authentication — key types, header format, security model, and error handling.

The UploadKit REST API authenticates using API keys passed in the x-api-key request header. There are no cookies, no OAuth flows, and no JWTs for API access.

Key Types

PrefixEnvironmentBehavior
uk_live_ProductionReal uploads, counted against storage and upload quotas
uk_test_Test / sandboxIsolated environment, no quota impact, uploads purged after 24 hours

Use uk_test_ keys during development and CI. Switch to a uk_live_ key before going to production.

Header Format

Pass your API key in the x-api-key header on every request:

curl https://api.uploadkit.dev/api/v1/files \
  -H "x-api-key: uk_live_xxxxxxxxxxxxxxxxxxxxx"

Never put API keys in query string parameters — they end up in server logs, browser history, and referrer headers. Always use the x-api-key header.

Creating API Keys

Create API keys in the dashboard under Settings → API Keys:

  1. Open your project in app.uploadkit.dev
  2. Navigate to API Keys in the sidebar
  3. Click Create Key and give it a descriptive name
  4. Copy the plaintext key — it is shown only once at creation

See the API Keys dashboard guide for screenshots and role configuration.

Security Model

UploadKit stores only a SHA-256 hash of each key — the plaintext is never persisted:

  • The key hash is stored alongside a masked prefix (uk_live_xxx...xxx) for display in the dashboard
  • When you make a request, the server hashes your key and compares it to the stored hash
  • If you lose a key, you must revoke it and create a new one — there is no recovery

This means a database breach cannot expose working API keys.

401 Unauthorized

If your key is missing, malformed, or has been revoked, the API returns 401:

{
  "error": {
    "code": "UNAUTHORIZED",
    "message": "Invalid or missing API key",
    "suggestion": "Check your API key at app.uploadkit.dev"
  }
}

Common causes:

CauseFix
Missing x-api-key headerAdd the header to every request
Key prefixed with Bearer Remove the Bearer prefix — use the key directly
Using a test key against a live route (or vice versa)Match key type to environment
Key has been revokedCreate a new key in the dashboard
Key belongs to a different projectCheck you are using the correct project key

Example: Authenticated Request

curl -X GET https://api.uploadkit.dev/api/v1/files?limit=10 \
  -H "x-api-key: uk_live_xxxxxxxxxxxxxxxxxxxxx" \
  -H "Content-Type: application/json"

For the security model behind key hashing and presigned URLs, see Security.

REST API Overview

UploadKit REST API — base URL, authentication, response format, rate limiting, and pagination.

Upload Endpoints

Request presigned URLs, confirm uploads, and manage multipart uploads via the REST API.

On this page

Key TypesHeader FormatCreating API KeysSecurity Model401 UnauthorizedExample: Authenticated Request