Skip to main content
Signed URLs let you upload or download files from a sandbox without exposing your API key. This is useful for:
  • Letting browsers download files directly from a sandbox
  • Sharing temporary download links with users
  • Uploading files from untrusted clients (e.g. a frontend app)

How It Works

  1. Your backend generates a signed URL using your API key
  2. The URL contains an HMAC signature and expiry timestamp
  3. Anyone with the URL can upload/download — no API key needed
  4. The URL expires automatically (default: 1 hour, max: 24 hours)

Generating URLs

import { Sandbox } from "@opencomputer/sdk";

const sandbox = await Sandbox.create();

// Generate a download URL (default: 1 hour expiry)
const downloadUrl = await sandbox.downloadUrl("/app/output.zip");

// Generate an upload URL
const uploadUrl = await sandbox.uploadUrl("/app/input.csv");

// Custom expiry (in seconds)
const shortUrl = await sandbox.downloadUrl("/app/output.zip", { expiresIn: 300 }); // 5 minutes

Downloading Files

Use the signed download URL with a plain GET request — no headers required: 
const url = await sandbox.downloadUrl("/app/results.csv");

// Fetch from browser or server — no API key needed
const resp = await fetch(url);
const data = await resp.arrayBuffer();

Uploading Files

Use the signed upload URL with a PUT request: 
const url = await sandbox.uploadUrl("/app/data.csv");

// Upload from browser or server — no API key needed
await fetch(url, {
  method: "PUT",
  body: fileContent, // string, Uint8Array, Blob, etc.
});

Large Files

Signed URLs support files of any size — the entire pipeline streams data in 256KB chunks without buffering. Files up to 200MB+ have been tested at ~20 MB/s throughput. 
// Upload a 100MB file via signed URL
const data = new Uint8Array(100 * 1024 * 1024);
const uploadUrl = await sandbox.uploadUrl("/data/model.bin");
await fetch(uploadUrl, { method: "PUT", body: data });

// Download it back
const downloadUrl = await sandbox.downloadUrl("/data/model.bin");
const resp = await fetch(downloadUrl);
const downloaded = new Uint8Array(await resp.arrayBuffer());

Security

  • Tamper-proof: URLs are signed with HMAC-SHA256. Changing the path, sandbox ID, or expiry invalidates the signature.
  • Time-limited: URLs expire after the specified duration (default 1 hour, max 24 hours). Expired URLs return 403.
  • Operation-scoped: Download URLs cannot be used for uploads and vice versa.
  • Path-scoped: Each URL is bound to a specific file path. Changing the path in the URL returns 403.
Full reference: TypeScript SDK · Python SDK · HTTP API.