Object Presign
Endpoint
POST /api/v1/open/objects/presign— Generate an object-storage upload or download presigned URL for a tenant-authorized object.POST /api/v1/open/objects/credentials— Create a tenant-owned object storage access key. The secret is returned once.GET /api/v1/open/objects/credentials— List tenant object credentials without secret material.GET /api/v1/open/objects/credentials/{credential_id}— Get one object credential without secret material.PUT /api/v1/open/objects/credentials/{credential_id}— Update or rotate an object credential.POST /api/v1/open/objects/resources— Create a bucket/key prefix/method/TTL policy, optionally bound to acredential_id.GET /api/v1/open/objects/resources— List tenant object resource policies.PUT /api/v1/open/objects/resources/{resource_id}— Update a tenant object resource policy.
Authentication
- Open Platform signature authentication is required:
X-Api-Id,X-Api-Timestamp,X-Api-Nonce, andX-Api-Signature. X-Request-Idis optional and generated by the platform when omitted.- Tenant-domain authorization is required:
open:object:create. - Tenant identity comes from the authenticated credential binding. The request body cannot declare or override tenant identity.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| bucket | string | yes | Object storage bucket |
| object_key | string | yes | Object key; must match a tenant object-resource policy prefix |
| method | string | yes | PUT or GET |
| expires_seconds | integer | no | URL TTL; defaults to 900, maximum 3600, and must not exceed the resource policy |
| content_type | string | no | Recommended for uploads; returned as a response header only for PUT |
Response
Security Rules
- The platform matches object policy only with the authenticated
tenant_idandclient_id. - Object policy must allow the bucket, key prefix, method, and TTL.
object_keycannot start with/and cannot contain../.- The platform records safe audit facts but does not persist presigned URLs, access keys, secret keys, session tokens, or object bodies.
- Logs must not contain signed URLs, object bodies, or object storage secrets.
Common Errors
| code | HTTP | Description |
|---|---|---|
UNAUTHORIZED | 401 | Missing or invalid authenticated identity |
SIGNATURE_INVALID | 401 | Signature mismatch |
TIMESTAMP_EXPIRED | 401 | Request timestamp is outside the allowed skew window |
NONCE_REPLAYED | 401 | Nonce was reused within the replay window |
FORBIDDEN | 403 | Client is not authorized in the tenant domain |
OBJECT_POLICY_DENIED | 403 | Bucket, key, method, or TTL does not satisfy object-resource policy |
OBJECT_SIGNING_FAILED | 500 | Object storage URL signing failed |
VALIDATION_FAILED | 400 | Required field missing, invalid type, or out-of-range value |
INTERNAL_ERROR | 500 | Platform internal error |