Skip to content

Tokens

SERVER

The Tokens service allows you to create, manage, and validate file tokens for your storage files. These tokens provide a way to grant temporary, controlled access to files without requiring user authentication or exposing sensitive permissions.

File tokens are particularly useful when you need to share access to private storage files with unauthenticated users or services for a limited time period. Each token is linked to a specific file and can be configured with an expiry date to ensure access is only granted for the necessary duration.

You can use tokens to generate secure URLs to view, preview, or download files. The Tokens service provides endpoints to create, list, retrieve, update, and delete tokens, giving you complete control over file access management.

For more detailed information about using file tokens in your application, refer to the File tokens documentation.

Base URL
https://<REGION>.cloud.appwrite.io/v1

Create file token

Create a new token. A token is linked to a file. Token can be passed as a request URL search parameter.

  • Request
    • bucketId string
      required

      Storage bucket unique ID. You can create a new storage bucket using the Storage service server integration.

    • fileId string
      required

      File unique ID.

    • expire string

      Token expiry date

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    1 minutes60 requestsIP + METHOD + URL + USER ID
Endpoint
POST /tokens/buckets/{bucketId}/files/{fileId}
Node.js
const sdk = require('node-appwrite');

const client = new sdk.Client()
    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1') // Your API Endpoint
    .setProject('<YOUR_PROJECT_ID>') // Your project ID
    .setKey('<YOUR_API_KEY>'); // Your secret API key

const tokens = new sdk.Tokens(client);

const result = await tokens.createFileToken({
    bucketId: '<BUCKET_ID>',
    fileId: '<FILE_ID>',
    expire: '' // optional
});

List tokens

List all the tokens created for a specific file or bucket. You can use the query params to filter your results.

  • Request
    • bucketId string
      required

      Storage bucket unique ID. You can create a new storage bucket using the Storage service server integration.

    • fileId string
      required

      File unique ID.

    • queries array

      Array of query strings generated using the Query class provided by the SDK. Learn more about queries. Maximum of 100 queries are allowed, each 4096 characters long. You may filter on the following attributes: expire

  • Response
Endpoint
GET /tokens/buckets/{bucketId}/files/{fileId}
Node.js
const sdk = require('node-appwrite');

const client = new sdk.Client()
    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1') // Your API Endpoint
    .setProject('<YOUR_PROJECT_ID>') // Your project ID
    .setKey('<YOUR_API_KEY>'); // Your secret API key

const tokens = new sdk.Tokens(client);

const result = await tokens.list({
    bucketId: '<BUCKET_ID>',
    fileId: '<FILE_ID>',
    queries: [] // optional
});

Get token

Get a token by its unique ID.

  • Request
    • tokenId string
      required

      Token ID.

  • Response
Endpoint
GET /tokens/{tokenId}
Node.js
const sdk = require('node-appwrite');

const client = new sdk.Client()
    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1') // Your API Endpoint
    .setProject('<YOUR_PROJECT_ID>') // Your project ID
    .setKey('<YOUR_API_KEY>'); // Your secret API key

const tokens = new sdk.Tokens(client);

const result = await tokens.get({
    tokenId: '<TOKEN_ID>'
});

Update token

Update a token by its unique ID. Use this endpoint to update a token's expiry date.

  • Request
    • tokenId string
      required

      Token unique ID.

    • expire string

      File token expiry date

  • Response
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    1 minutes60 requestsIP + METHOD + URL + USER ID
Endpoint
PATCH /tokens/{tokenId}
Node.js
const sdk = require('node-appwrite');

const client = new sdk.Client()
    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1') // Your API Endpoint
    .setProject('<YOUR_PROJECT_ID>') // Your project ID
    .setKey('<YOUR_API_KEY>'); // Your secret API key

const tokens = new sdk.Tokens(client);

const result = await tokens.update({
    tokenId: '<TOKEN_ID>',
    expire: '' // optional
});

Delete token

Delete a token by its unique ID.

  • Request
    • tokenId string
      required

      Token ID.

  • Response
    • 204 no content
  • Rate limits

    This endpoint is not limited when using Server SDKs with API keys. If you are using SSR with setSession, these rate limits will still apply. Learn more about SSR rate limits.

    The limit is applied for each unique limit key.

    Time frame
    Attempts
    Key
    1 minutes60 requestsIP + METHOD + URL + USER ID
Endpoint
DELETE /tokens/{tokenId}
Node.js
const sdk = require('node-appwrite');

const client = new sdk.Client()
    .setEndpoint('https://<REGION>.cloud.appwrite.io/v1') // Your API Endpoint
    .setProject('<YOUR_PROJECT_ID>') // Your project ID
    .setKey('<YOUR_API_KEY>'); // Your secret API key

const tokens = new sdk.Tokens(client);

const result = await tokens.delete({
    tokenId: '<TOKEN_ID>'
});
Copyright © 2025 Appwrite