Skip to content

docs(files): document custom_download_url signature verification semantics#140

Merged
karlrank merged 1 commit into
mainfrom
docs/custom-download-url-signature-canonicalization
Jul 16, 2026
Merged

docs(files): document custom_download_url signature verification semantics#140
karlrank merged 1 commit into
mainfrom
docs/custom-download-url-signature-canonicalization

Conversation

@karlrank

Copy link
Copy Markdown
Member

Documents how verifyCustomDownloadUrl treats the request URL, following the file-api change that canonicalizes the signed message (query params sorted by key):

  • Pass the full request URL exactly as received — verification is independent of query parameter order.
  • All parameters and values must be present and unmodified.
  • Signatures are org-bound and expire 15 minutes after minting.

Context: the previous byte-exact verification deterministically failed for consumers behind API Gateway REST (payload v1), which alphabetizes query params — e.g. the erp-integration file proxy streaming endpoint. Companion changes:

🤖 Generated with Claude Code

…ntics

The signature now covers a canonical form of the URL (query params sorted
by key), so verification is independent of query parameter order. Document
that consumers should pass the request URL exactly as received, that all
params must be unmodified, and the 15-minute signature TTL.
@karlrank
karlrank merged commit bd15a50 into main Jul 16, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant