The key server bundles a presign endpoint that generates presigned S3 PUT URLs. The Uploader uses this to upload encrypted segments directly from the browser to S3 — without routing bytes through your server.
Enable presign
How it works
- The uploader sends
POST /presign with the S3 key and content type
- The key server validates the JWT (if auth is enabled), then generates a presigned PUT URL
- The uploader uploads encrypted bytes directly to S3 using the presigned URL
Presign response
The presigned URL expires after 300 seconds (5 minutes) by default.
Configuration
S3-compatible storage
For MinIO, Cloudflare R2, or Backblaze B2, set S3_ENDPOINT:
Security
If authentication is not configured (AUTH_JWT_SECRET or AUTH_JWKS_URL), the presign endpoint is open to anyone who can reach the key server. Always enable authentication when ENABLE_PRESIGN=true in production.
- Presign requests require the same JWT authentication as key requests (if auth is enabled)
- The key server validates that the S3 key starts with an allowed prefix (default:
content/)
- Presigned URLs are short-lived (5 minutes) and single-use