#Most secure way to serve files

4 messages · Page 1 of 1 (latest)

muted coyote Aug 7, 2025, 10:43 PM

In convex, what is the most secure way to serve files and images stored in convex? Is there a solution with presigned urls ?

ionic edgeBOT Aug 7, 2025, 10:43 PM

Hi @muted coyote. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:

The most secure way to serve files and images stored in Convex depends on your specific security requirements:

1. Access Control via HTTP Actions

For maximum security, you can serve files through custom HTTP actions. This allows you to implement access control logic at the time the file is served. For example, you can check authentication, authorization, or any other business logic before returning the file. Here’s a basic example:

import { httpRouter } from "convex/server";
import { httpAction } from "./_generated/server";
import { Id } from "./_generated/dataModel";

const http = httpRouter();

http.route({
  path: "/getImage",
  method: "GET",
  handler: httpAction(async (ctx, request) => {
    const { searchParams } = new URL(request.url);
    const storageId = searchParams.get("storageId")! as Id<"_storage">;
    const blob = await ctx.storage.get(storageId);
    if (blob === null) {
      return new Response("Image not found", { status: 404 });
    }
    // Add your access control logic here
    return new Response(blob);
  }),
});

This approach ensures that only authorized users can access the file, as you control the logic in the handler. Note that HTTP action responses are currently limited to 20MB, so for larger files, you must use file URLs instead Serving Files Common patterns.

2. File URLs with Access Control at Generation

You can generate file URLs using ctx.storage.getUrl(storageId) and return them from queries or mutations. You can control who gets access to a file by restricting who can call the query or mutation that generates the URL. However, once the URL is generated, it can be shared and accessed by anyone with the link, as these URLs are currently permanent and not time-limited Serving Files Discord: getUrl permanence.

3. Presigned URLs / Timed URLs

As of now, Convex does not support presigned or time-limited URLs for file access. The URLs generated by getUrl are permanent. There are plans to support timed URLs in the future, similar to S3 presigned URLs, but this is not yet available Discord: getUrl permanence.

Summary:

For the highest security, use HTTP actions to serve files with custom access control.
If you use file URLs, restrict access at the time of URL generation, but be aware that the URLs are permanent.
Presigned/timed URLs are not currently supported in Convex.

#Most secure way to serve files

1. Access Control via HTTP Actions

2. File URLs with Access Control at Generation

3. Presigned URLs / Timed URLs

If you need strict, time-limited access, you will need to implement your own logic using HTTP actions or wait for future Convex features.

Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: