Media management (photos, PDF documents)
Upload media and attach to entity
Uploads a file and immediately attaches it to the target entity.
- MIME and size validation according to a security level determined by
entity_type. - In secure mode (SSE-C), the content is stored encrypted on the S3 side and not returned in plaintext.
- The response contains the
Mediaobject (not the binary). - Supports tags (comma-separated) and a unique role for the entity.
path Parameters
entity_typeBusiness entity type supported for media
entity_idUpload media and attach to entity › Request Body
fileThe file to upload
tagsComma-separated tags (e.g., photo,primary,facade)
roleUnique role of the media for this entity
Upload media and attach to entity › Responses
Created
idurlmedia_typeMIME type (e.g. application/pdf, image/jpeg)
file_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
encryption_key_idSSE-C key identifier if the media is encrypted (secure mode)
checksumSHA-256 of the source content for integrity verification
tagsTags normalized to lowercase; max 32 tags; each tag <= 64 chars, [a-z0-9_-]
rolesRoles associated with this media for different entities
created_atupdated_atList media attached to an entity
Returns the Media objects linked to the entity. Encrypted contents are not returned here.
path Parameters
entity_typeBusiness entity type supported for media
entity_idList media attached to an entity › Responses
OK
idurlmedia_typeMIME type (e.g. application/pdf, image/jpeg)
file_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
encryption_key_idSSE-C key identifier if the media is encrypted (secure mode)
checksumSHA-256 of the source content for integrity verification
tagsTags normalized to lowercase; max 32 tags; each tag <= 64 chars, [a-z0-9_-]
rolesRoles associated with this media for different entities
created_atupdated_atSearch media by tags (optionally scoped to an entity)
Searches on tags (TEXT[] + GIN). match_all=true (default) requires that all tags match.
Can be restricted to an entity.
query Parameters
tagsComma-separated list of tags (lowercase)
match_allIf true (default), all tags must match; else any
entity_typeBusiness entity type supported for media
entity_idSearch media by tags (optionally scoped to an entity) › Responses
OK
idurlmedia_typeMIME type (e.g. application/pdf, image/jpeg)
file_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
encryption_key_idSSE-C key identifier if the media is encrypted (secure mode)
checksumSHA-256 of the source content for integrity verification
tagsTags normalized to lowercase; max 32 tags; each tag <= 64 chars, [a-z0-9_-]
rolesRoles associated with this media for different entities
created_atupdated_atReplace media tags
path Parameters
idReplace media tags › Responses
OK
idurlmedia_typeMIME type (e.g. application/pdf, image/jpeg)
file_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
encryption_key_idSSE-C key identifier if the media is encrypted (secure mode)
checksumSHA-256 of the source content for integrity verification
tagsTags normalized to lowercase; max 32 tags; each tag <= 64 chars, [a-z0-9_-]
rolesRoles associated with this media for different entities
created_atupdated_atAssign a unique role to a media for an entity
Assigns a unique role (ENUM media_role) to a media_id for an entity.
- Uniqueness is guaranteed by a partial index (tenant_id, entity_type, entity_id, role).
- The body accepts a
rolecorresponding to the MediaRole enum values (AVATAR, ID_DOCUMENT, PRIMARY_PHOTO, LEASE_ORIGINAL, LEASE_SIGNED). - Case-insensitive support for flexibility (e.g., "avatar" or "AVATAR").
path Parameters
entity_typeBusiness entity type supported for media
entity_idmedia_idAssign a unique role to a media for an entity › Request Body
roleMedia role (enum MediaRole) - accepts values AVATAR, ID_DOCUMENT, PRIMARY_PHOTO, LEASE_ORIGINAL, LEASE_SIGNED
Assign a unique role to a media for an entity › Responses
No Content
Get media by role for an entity
Retrieves the Media with the requested role for the entity.
path Parameters
entity_typeBusiness entity type supported for media
entity_idroleGet media by role for an entity › Responses
OK
idurlmedia_typeMIME type (e.g. application/pdf, image/jpeg)
file_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
encryption_key_idSSE-C key identifier if the media is encrypted (secure mode)
checksumSHA-256 of the source content for integrity verification
tagsTags normalized to lowercase; max 32 tags; each tag <= 64 chars, [a-z0-9_-]
rolesRoles associated with this media for different entities
created_atupdated_atClear role assignment for an entity
Removes the role assignment for the given entity.
path Parameters
entity_typeBusiness entity type supported for media
entity_idroleClear role assignment for an entity › Responses
No Content
Serve media (JSON for unencrypted, binary for encrypted)
- If the media is encrypted (SSE-C), the server returns the binary content with server-side decryption and
checksumverification. - If not encrypted, returns the
Mediaobject (with the S3 URL).
path Parameters
idServe media (JSON for unencrypted, binary for encrypted) › Responses
OK
idurlmedia_typeMIME type (e.g. application/pdf, image/jpeg)
file_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
encryption_key_idSSE-C key identifier if the media is encrypted (secure mode)
checksumSHA-256 of the source content for integrity verification
tagsTags normalized to lowercase; max 32 tags; each tag <= 64 chars, [a-z0-9_-]
rolesRoles associated with this media for different entities
created_atupdated_atServe media for workers (Base64 JSON)
Endpoint intended for workers (specific API key/Bearer).
- Returns the file in Base64.
- Requires
X-Tenant-IDandX-Worker-Type.
path Parameters
idHeaders
X-Worker-TypeWorker type (e.g. signature-processor, otp-validator)
X-Tenant-IDTenant identifier
Serve media for workers (Base64 JSON) › Responses
OK
pdf_base64document_namecontent_typefile_sizesecurity_levelSecurity/encryption level. CRITICAL and SENSITIVE may trigger SSE-C encrypted storage; STANDARD is unencrypted.
Upload signed PDF from worker
Uploads a signed PDF from a worker. The document is stored in secure mode (SSE-C) with checksum.
Returns the metadata of the created signed media.
path Parameters
media_idHeaders
X-Tenant-IDX-Worker-TypeUpload signed PDF from worker › Responses
Created
successmessagedata