Uploads, Shared Links, and Coauthoring APIs

These API families are where integration bugs usually become user-visible incidents.

Uploads

SynckHub uses in-process tus v1 endpoints and upload intent/session APIs.

Key rule:

  • respect size limits and intent/session lifecycle; do not bypass finalize paths

Public link workflow includes:

  • create/revoke (authenticated)
  • metadata read/unlock/list/content/download (public token-gated)

Token URLs are capability links. Treat them as sensitive credentials.

Server rule:

  • distribute the server-returned public_url; clients should not rebuild shared-link URLs from their current browser origin

Web rule:

  • public shared-link pages should resolve infra_key -> api_base_url from the web app’s version-controlled routing table and call the owning infra directly

Coauthoring

Two paths are supported:

  • Office WOPI action URL + lock/save lifecycle
  • Yjs session mint + websocket/callback lifecycle

For both paths, server-minted tokens and callback security secrets are mandatory.

Do not let clients mint or reinterpret these trust artifacts.

Previous
Platform API
Next
Federation APIs