Skip to main content
The key server bundles a presign endpoint that generates presigned S3 PUT URLs. The Uploader uses this to upload encrypted segments directly from the browser to S3 — without routing bytes through your server.

Enable presign

How it works

  1. The uploader sends POST /presign with the S3 key and content type
  2. The key server validates the JWT (if auth is enabled), then generates a presigned PUT URL
  3. The uploader uploads encrypted bytes directly to S3 using the presigned URL

Presign request format

Presign response

The presigned URL expires after 300 seconds (5 minutes) by default.

Configuration

S3-compatible storage

For MinIO, Cloudflare R2, or Backblaze B2, set S3_ENDPOINT:

Security

If authentication is not configured (AUTH_JWT_SECRET or AUTH_JWKS_URL), the presign endpoint is open to anyone who can reach the key server. Always enable authentication when ENABLE_PRESIGN=true in production.
  • Presign requests require the same JWT authentication as key requests (if auth is enabled)
  • The key server validates that the S3 key starts with an allowed prefix (default: content/)
  • Presigned URLs are short-lived (5 minutes) and single-use