Appearance
Authentication
The API supports three authentication methods depending on your use case.
API Key
For server-side integrations. Generate a key from your API Keys page and pass it via the X-Api-Key header:
http
X-Api-Key: bws_a1b2c3d4e5f6...API keys have full access to all API endpoints — upload, delete, list files, manage settings. Never expose them in client-side code.
TIP
API keys don't expire. You can create multiple keys and revoke them individually.
JWT Bearer Token
For the web dashboard and Cognito-authenticated sessions. Pass the token via the Authorization header:
http
Authorization: Bearer eyJhbGciOiJSUzI1NiIs...JWT tokens are issued by AWS Cognito when a user signs in through the IPFS Ninja dashboard. They expire automatically and are not intended for direct API integrations — use API keys instead.
Signed Upload Token
For client-side uploads without exposing your API key. Pass the token via the Authorization header:
http
Authorization: Signed sup_a1b2c3d4e5f6...Signed tokens are time-limited and scoped to upload operations only. They are safe to embed in browser or mobile applications. Generate them from your server using POST /upload/signed-url and hand them to the client.
See Signed Tokens for details on creating, listing, and revoking signed upload tokens.