Skip to main content

List files in a room

GET /api/v1/rooms/:room_id/files
Response 
{
  "data": [
    {
      "id": "file_uuid",
      "name": "term-sheet-v3.pdf",
      "size": 204800,
      "classification": "C4",
      "uploaded_by": "user_uuid",
      "uploaded_at": "2024-01-15T10:30:00Z",
      "content_type": "application/pdf"
    }
  ]
}

Upload a file

File upload is a two-step process: the client encrypts the file, then uploads ciphertext. Step 1 — Request an upload URL 
POST /api/v1/rooms/:room_id/files/upload-url

{
  "name": "term-sheet-v3.pdf",
  "size": 204800,
  "content_type": "application/pdf",
  "classification": "C4"
}
Response 
{
  "file_id": "file_uuid",
  "upload_url": "https://storage.../presigned-url",
  "wrapped_dek": "base64-encoded-wrapped-dek",
  "kms_key_id": "your-kms-key-arn"
}
Step 2 — Encrypt and upload
  1. Use the wrapped_dek to request decryption from your KMS → receive DEK
  2. Generate a random 96-bit IV
  3. Encrypt file content with AES-256-GCM using DEK + IV
  4. PUT ciphertext to upload_url
  5. Confirm upload:
POST /api/v1/rooms/:room_id/files/:file_id/confirm

{
  "iv": "base64-encoded-iv",
  "tag": "base64-encoded-auth-tag"
}
The Enclave web client handles encryption automatically. The two-step API is for custom integrations where you control the encryption process.

Download a file

GET /api/v1/files/:file_id/download-url
Response 
{
  "download_url": "https://storage.../presigned-url",
  "wrapped_dek": "base64-encoded-wrapped-dek",
  "iv": "base64-encoded-iv",
  "tag": "base64-encoded-auth-tag",
  "kms_key_id": "your-kms-key-arn"
}
Decrypt: download ciphertext → unwrap DEK via KMS → AES-256-GCM decrypt using IV → verify tag.

Delete a file

DELETE /api/v1/files/:file_id
Requires room Owner or Contributor role. 
POST /api/v1/files/:file_id/share

{
  "expires_in": 86400,
  "max_downloads": 1
}
expires_in is in seconds. max_downloads is optional.