Back
Object Storage
CDNetworks Documentation Object Storage API Upload Credential

Upload Credential

Last update:2025-08-18 15:33:42

Place the upload credential in the request form; parameter name: token.

The three underlying data sources for constructing the upload credential are as follows:

  • Upload Policy Data (putPolicy)
    Upload Policy Data are a set of configuration settings supplied during the resource upload. With this set of configuration information, CDNetworks Object Storage can understand a user’s upload requirements: What resources he/she will upload, to which bucket he/she will upload, whether the upload result is callback notification or using redirection, whether the content of the feedback information needs to be set, and the end of the validity period of authorized upload, so on and so forth.
  • Security Key (SecretKey)
    Please obtain the SK from the Object Storage storage platform key administrator.
  • Access Key (AccessKey)
    Please obtain the AK from the Object Storage storage platform key administrator.

The upload credential uploadToken is the result of a complex signature calculation based on the three underlying data sources. By verifying the upload credential, we can ensure that illegal upload requests are blocked and illegal intrusions are prevented.

Upload Policy Data

Data Format

     {
      "scope": "<bucket string>",
      "deadline": "<deadline string>",
      "saveKey": "<saveKey string>"
      "returnUrl": "<returnUrl string>",
      "returnBody": "<returnBody string>",
      "overwrite": "<overwrite int>",
      "fsizeLimit": "<fsizeLimit long>",
      "callbackUrl": "<callbackUrl string>",
      "callbackBody": "<callbackBody string>",
      "persistentOps": "<persistentOps string>",
      "persistentNotifyUrl": "<persistentNotifyUrl string>"
      "contentDetect": "<contentDetctstring>"
      "detectNotifyURL": "<detectNotifyURL string>"
      "detectNotifyRule":"<detectNotifyRule>"
      "separate": "<separate int>"
    }

Format Descriptions

Field name Required Description
scope Yes Specifies the destination bucket <bucket> of the upload and the file name<key>. There are two formats:
a. <bucket> indicates the uploading of a file to the specified bucket.
b. <bucket>:<key> indicates the uploading of a file to the specified bucket, where the file is named as key. When overwrite is 1, the same-name resource (if existing) will be overwritten.
deadline Yes The deadline for upload request authorization; UNIX timestamp; unit: millisecond. Example: 1398916800000, indicating the time of 2014-05-01 12:00:00.
saveKey No Custom Resource Name,Specify the final storage path of the file in object storage. This field only supports the normal upload method.
fsizeLimit No Limits the size of the upload file; unit: Byte. Upload of any file larger than the size limit will fail, and a 401 status code will be returned.
NOTE: No limit is in place when this item is set to 0
overwrite No Specifies whether or not to overwrite a file that already exists on the server:
0 - Do not overwrite
1 - Overwrite. 0 by default.
returnUrl No When a file is uploaded from a web end, the browser will execute the URL redirected by a 303. This is often used for HTML Form uploads. If the file has been uploaded successfully, the redirection points to <returnUrl>?upload_ret=urlsafe_base64_encode(returnBody). If the file upload has failed, the redirection points to <returnUrl>?code=<code>&message=<message>, where <code> is the error code and <message> is specific information on the error. If returnUrl is not set, the content of returnBody will be returned straight to the client.
returnBody No Customizes data that will ultimately be returned to the upload end upon a successful upload. If you only need to return the file name and file address, just set returnBody as fname=$(fname)&url=$(url). For details on the usage, see the Returned Data Description.
callbackUrl No Upon a successful upload, the Object Storage requests the address with the POST method. (Requirement: The address must be a public network URL address that can respond normally with HTTP/1.1 200 OK. If there are special characters like spaces, Url Encode encoding is required.) The response data for this address is in JSON format.
callbackBody No Upon a successful upload, CDNetworks Object Storage submits data to callbackUrl with the POST method.callbackBody must be a legal url query string, for example: key=$(key)&fsize=$(fsize). For details on the usage, see the Callback Method Data Description
persistentNotifyUrl No The address for receiving the preprocessing result notification must be a public network URL address that can respond normally with HTTP/1.1 200 OK. If there are special characters like spaces, Url Encode encoding is required. For details on the content of the notification, see the Notification Data Content Description
persistentOps No Preprocesses the instruction list upon successful upload of a file. Each instruction is an API-specification character string. The semicolon, ;, is used to separate multiple instructions. See the Instruction Description.
contentDetect No Performs the content identification operation upon the successful upload of a file. Parameters supported:
imagePorn - porn identification for images, imageTerror - terrorism identification for images, imagePolitical - politician identification
detectNotifyURL No The address for receiving the identification result notification must be a public network URL address that can respond normally with HTTP/1.1 200 OK. If there are special characters like spaces, Url Encode encoding is required. For details on the content of the notification, see the Identification Notification Data Content Description
detectNotifyRule No Sets identification result notification rules.
all Notification on all images
porn Notification on pornographic images
sexy Notification on sexy images
normal Notification on normal images
exception Notification on images identified as exceptions
terror Notification on violent and terrorism images(Valid only when the identification type is imageTerror)
political Notification on identification of images of politicians (Valid only when the identification type is imagePolitical)
Parameters can be combined with each other and separated by the semicolon
For example: When the parameter is set as porn;exception, the notification on the results of the identification will be pornographic images or images identified as exceptions
separate No Whether or not there are separate transcoding notifications. Set 1 and 0 as option codes:
1: Indicates that persistentNotifyUrl is notified upon completion of the execution of each transcoding instruction
0: Indicates that persistentNotifyUrl is notified in one go upon completion of the execution of all transcoding instructions
The default value is 0

Note:

  1. Please complete setting the persistentNotifyUrl field when setting the persistenOps field. The platform will notify you of the result of instruction processing by calling the URL set in the persistentNotifyUrl field. For details, see the Notification Data Content Description.
  2. Use the upload processing mechanism. When setting the persistenOps field, the instruction parameter saveas is required and the key may not be the same as that of the original file. Otherwise, a 401 will be returned with the prompt message of “The Persistent File Already Exists”
  3. The file naming priority is as follows: The key of Scope > saveKey > form key > name of the original file

​​Upload Credential Generation Algorithm​

1. Build the upload policy
Use the JSON format to encapsulate some information of the uploaded file putPolicy

     {
      "scope": "<bucket string>",
      "deadline": "<deadline string>",
      "returnBody": "<returnBody string>",
      "overwrite": "<overwrite int>",
      "fsizeLimit": "<fsizeLimit long>",
      "returnUrl": "<returnUrl string>"
    }

2. Upload Policy For URL-Safe Base64 Codes

Perform URL-Safe Base64 Encoding for putPolicy to obtain encodePutPolicy

encodePutPolicy = urlsafe_base64_encode(putPolicy)

3. HMAC-SHA1 Signature Generation
Use SecretKey to provide HMAC-SHA1 signature for encodePutPolicy to obtain Sign

Sign = hmac_sha1(encodePutPolicy, "<SecretKey>")

4. URL-Safe Base64 Encoded Signature Data
Perform URL-Safe Base64 Encoding for the signature data Sign to obtain encodedSign

encodeSign = urlsafe_base64_encode(Sign)

5. Generate the Upload Credential
Join AccessKey, encodedSign and encodeputPolicy together using : to obtain the upload credential uploadToken

uploadToken = AccessKey:encodedSign:encodePutPolicy
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!

CDNetworks Inc., © 2025. 1840 Enterprise Way, Monrovia, CA 91016 – All rights reserved.