Remove a Filestack File with the REST API

For developers who deal with sensitive data, we offer the ability to remove access to files. This process wipes all traces of the file from our servers and deletes it out of temporary storage. If the file was originally pulled from a cloud source like google drive, the Filestack file link is deleted but the original file is not. However, if pickAndStore or another store method was used to make a copy of the original file, the remove request will delete the copy as well as the Filestack link to the file. Per REST, this is accomplished via a DELETE request to the file link


Filestack has added an additional layer of security that will be required in order to perform a remove call. This change is detailed here. The REMOVE REST API call now requires one of two possible methods for validating the request.

Security Documentation

The remove request will not work with Filestack CDN urls and requires the use of urls in the format of

Example Remove Requests:

Note: unlike the other examples, these ones can't just be copied and pasted into a console, as deleting a file link only works once!

  1. The first option for formatting a remove request is to include a valid filestack policy and signature with the remove permission. Details on creating and using Filestack policies and signatures can be found in the Security section of the documentation.
  2. Policy and Signature example

    >>> curl -X DELETE '**HANDLE**?key=APIKEY&policy=eyJoYW5kbGUiOiJPdVdaVkxSVFR0aUJuc2lxWTVtayIsImV4cGlyeSI6MTQ1NjI0NzE2Nn0=&signature=ba420f3415777820590b4a6390244ce0407897125b46b7e8ca8d255607aa436c'

    Alternate Remove Request Format with Policy and Signature:

    >>> curl -X POST "**HANDLE**/remove?key=APIKEY&policy=eyJoYW5kbGUiOiJPdVdaVkxSVFR0aUJuc2lxWTVtayIsImV4cGlyeSI6MTQ1NjI0NzE2Nn0=&signature=ba420f3415777820590b4a6390244ce0407897125b46b7e8ca8d255607aa436c"

  3. The second option for formatting a remove request requires validation through the passing of an additional secret key. This information can be passed in two different ways:

    1. The request includes a "user", which is the word "app", and a "password" which is the "App Secret" that can be found in the Security section of the developer portal under App Secret
    2. User and Password example

      >>> curl -u "app:TN6MAIP4XZHLFLX7RO2D77X4JU" -X DELETE '**HANDLE**?key=APIKEY'

    3. The request is accompanied by a base64 string containing the "App Secret" that can be found in the Security section of the developer portal under App Secret. The header string to be base64 encoded should look like this: 'app:TN6MAIP4XZHLFLX7RO2D77X4JU'. If you encode this at for example, you should receive: 'YXBwOlRONk1BSVA0WFpITEZMWDdSTzJENzdYNEpV'
    4. Basic Access Authentication example

      >>> curl -H "Authorization: Basic YXBwOlRONk1BSVA0WFpITEZMWDdSTzJENzdYNEpV" -X DELETE '**HANDLE**?key=APIKEY'

You will need to have a valid Filestack policy and signature in order to perform the requested call. This allows you to select who can and cannot perform certain actions on your site. Read more about security and how to generate policies and signatures