Skip to main content

Files API

Manage files attached to your agents. You can upload files for an agent to access, download them securely, list existing files, and delete them. All endpoints require session authentication.

Download a file

Downloads a file by its ID. The server validates that the resolved file path is within the configured upload directory to prevent path traversal attacks. Returns the raw file content as a binary download.

Query parameters

Response headers

Errors

The download URL format is /api/files?download={id}. Files are only accessible to the user who uploaded them.

List files

Returns all files for the authenticated user, optionally filtered by agent.

Query parameters

Response

File object

Errors

Upload a file

Upload a file for an agent. The request must use multipart/form-data encoding.

Request body (multipart/form-data)

Response (201)

Upload response fields

The GET endpoint returns filename while the POST response returns name. Both refer to the sanitized filename of the uploaded file.

Filename validation

Uploaded filenames are sanitized before storage:
  1. Leading dots are stripped — files like .env become env. A filename consisting entirely of dots (e.g., ...) becomes empty after stripping.
  2. Unsafe characters are replaced — characters outside a-zA-Z0-9._- are replaced with underscores.
  3. Length is limited to 128 characters — filenames longer than 128 characters are truncated.
  4. Fallback naming — if the sanitized filename is empty, a fallback name of upload_{timestamp} is used.
The stored filename may differ from the original filename you provided. Dotfiles (files starting with .) cannot be uploaded — the leading dots are always removed.

Errors

Delete a file

Delete a file by its ID.

Request body

Response

Errors