Programmatic access to upload, list, fetch, and delete end-to-end
encrypted images. All endpoints are under
https://uploadimages.org.
Overview
The v1 API is a small JSON-over-HTTPS surface. You authenticate
with a Bearer key, send fields as either JSON or multipart, and
receive JSON in return (except GET /images/:id, which
returns raw bytes). Every state-changing endpoint is rate-limited
and scoped.
The server never sees image plaintext. Your client encrypts with
AES-256-GCM before uploading, then puts the decryption key in the
URL fragment (#…) so it never reaches the server.
See how it works.
Each key carries fixed scopes. Endpoint failures with code 403 tell you which scope is missing.
Scope
What it grants
read
List your images, fetch metadata, view usage and events
write
Upload new images
delete
Delete single images or bulk-delete
admin
Rotate keys via the API; rarely needed (use the dashboard instead)
Isolation: every endpoint that accepts an
:image_id returns 404 if the image isn't
yours, not 403. The server never reveals whether someone
else's image exists.
Errors
All errors are JSON: {"error": "human-readable string"}.
Status
When
400
Request was malformed or a field failed validation.
401
Missing or invalid bearer token.
403
Your key, account, or quota state doesn't permit this action. The body explains which.
404
The resource doesn't exist or isn't visible to you.
413
File too large. The current upload limit is configured by the administrator.
429
You're sending requests faster than allowed. Wait briefly and retry.
503
The service is temporarily unavailable.
Images
POST/api/v1/imagesrequires write
Upload an image. multipart/form-data. Returns the id, share link, and a control token (save it; needed to delete via the legacy non-bearer endpoint).
Body fields
Field
Type
Required
Notes
file
file
yes
Image bytes (or ciphertext if e2e=true)
visibility
string
no
public or private (default private)
ttl
integer
no
auto-delete after N seconds; 60 – 31,536,000
password
string
no
≤128 chars; viewer must supply X-Password
nsfw
bool
no
true / 1 / on
e2e
bool
no
Tells the server the file is pre-encrypted ciphertext, not a decodable image