<img height=1 width=1 style=display:none src="https://q.quora.com/_/ad/b8e22267a87d46459afc78849486c9e6/pixel?tag=ViewContent&noscript=1">Documentation - Security

Security - Policies & Signatures

Filestack allows multiple ways to make sure that your files are exactly as secure as you want them. You can use security parameters with your Filepicker, FileLinks, file conversions, and any of our SDKs.

Filestack security measures are handled using a JSON that includes two things: Policy and Signature.


The Policy states which operations can be performed with the feature of the API that is being used. Policies include an expiration and optional permissions.

This means that you can create a policy that is only valid for a specific time and function.


The Signature uses a unique HMAC encoded string that is generated with your secret key and the Policy to identify the origin of the request.

Do not share your secret key or expose it in your client side code.

Filestack Security Tools

You can enforce the use of security with your API as well as create policies and signatures in your Developer Portal.

Screencast showing creation of policy in Filestack Developer Portal

You MUST take steps to generate policies and signatures before turning on security.

When security is turned on, the API will not accept any requests without the correct parameters.

Using Security with Filestack

Security can be used in the following ways:

Pass Security into your Filepicker

To use Signature and Policy with your Filepicker, you will need to pass the created JSON into the init function along with your API key.

const apikey = "Your_API_Key";
const security = {policy: "YourPolicy",signature: "YourHMACSignature"};
const client = filestack.init(apikey, security);

If you turn on security in your developer portal, but do not pass it with the init function, users will see this:

Screenshot showing Filepicker not opening due to security

Add security to your FileLink

Signature and policy can be added to filelinks in order to protect the delivery of your uploads.

Filelink before security:


Filelink with security:

https://cdn.filestackcontent.com/UC8xWXemQMyz2OQxzh1A?policy=eyJleHBpcnkiOjQxMDA3Mzg0MDB9& signature=b34730361115a27c67593c1f67e2b135e1f928776616067c14cf46bdb3d7ee4a

Conversion Filelink before security:


Conversion Filelink with security:

https://process.filestackapi.com/ANdpKX6pWRIevNAWvvOOtz/security=policy:eyJleHBpcnkiOjE3NjQ1MzYwMjR9, signature:9bb689d6aacfe5757af84c204299fa6654a4e7c89e89c29aff8457cf716211e6/rotate=deg:90/ https://www.filestackapi.com/api/file/ajTW5xm2Sd6v22yrtKmQ?policy=eyJleHBpcnkiOjE3NjQ1MzYwMjR9& signature=9bb689d6aacfe5757af84c204299fa6654a4e7c89e89c29aff8457cf716211e6

Add security to your File Viewer

You can specify policy and signature in the html div calling your viewer by using

data-fp-policy and data-fp-signature.

<div type="filepicker-preview" data-fp-url="https://www.filestackapi.com/api/file/7cSeLSlZSmCk3k8CQtAv" style="width:75%; height:500px"></div>