Object Presign

Endpoint

  • POST /api/v1/open/objects/presign — Generate an object-storage upload or download presigned URL for a tenant-authorized object.
  • POST /api/v1/open/objects/credentials — Create a tenant-owned object storage access key. The secret is returned once.
  • GET /api/v1/open/objects/credentials — List tenant object credentials without secret material.
  • GET /api/v1/open/objects/credentials/{credential_id} — Get one object credential without secret material.
  • PUT /api/v1/open/objects/credentials/{credential_id} — Update or rotate an object credential.
  • POST /api/v1/open/objects/resources — Create a bucket/key prefix/method/TTL policy, optionally bound to a credential_id.
  • GET /api/v1/open/objects/resources — List tenant object resource policies.
  • PUT /api/v1/open/objects/resources/{resource_id} — Update a tenant object resource policy.
The API service signs URLs only. It does not proxy object bytes; clients use the returned URL to communicate directly with object storage. Object credentials and resource policies are tenant configuration resources; they should not be embedded in every presign request.

Authentication

  • Open Platform signature authentication is required: X-Api-Id, X-Api-Timestamp, X-Api-Nonce, and X-Api-Signature.
  • X-Request-Id is optional and generated by the platform when omitted.
  • Tenant-domain authorization is required: open:object:create.
  • Tenant identity comes from the authenticated credential binding. The request body cannot declare or override tenant identity.

Request Body

FieldTypeRequiredDescription
bucketstringyesObject storage bucket
object_keystringyesObject key; must match a tenant object-resource policy prefix
methodstringyesPUT or GET
expires_secondsintegernoURL TTL; defaults to 900, maximum 3600, and must not exceed the resource policy
content_typestringnoRecommended for uploads; returned as a response header only for PUT
{
  "bucket": "utmos-objects",
  "object_key": "tenant_001/uploads/flight-task.bin",
  "method": "PUT",
  "expires_seconds": 900,
  "content_type": "application/octet-stream"
}

Response

{
  "method": "PUT",
  "url": "https://objects.example/utmos-objects/tenant_001/uploads/flight-task.bin?...",
  "headers": {
    "Content-Type": "application/octet-stream"
  },
  "expires_at": "2026-05-21T12:15:00Z",
  "request_id": "req-object-001"
}

Security Rules

  • The platform matches object policy only with the authenticated tenant_id and client_id.
  • Object policy must allow the bucket, key prefix, method, and TTL.
  • object_key cannot start with / and cannot contain ../.
  • The platform records safe audit facts but does not persist presigned URLs, access keys, secret keys, session tokens, or object bodies.
  • Logs must not contain signed URLs, object bodies, or object storage secrets.

Common Errors

codeHTTPDescription
UNAUTHORIZED401Missing or invalid authenticated identity
SIGNATURE_INVALID401Signature mismatch
TIMESTAMP_EXPIRED401Request timestamp is outside the allowed skew window
NONCE_REPLAYED401Nonce was reused within the replay window
FORBIDDEN403Client is not authorized in the tenant domain
OBJECT_POLICY_DENIED403Bucket, key, method, or TTL does not satisfy object-resource policy
OBJECT_SIGNING_FAILED500Object storage URL signing failed
VALIDATION_FAILED400Required field missing, invalid type, or out-of-range value
INTERNAL_ERROR500Platform internal error