More control over upload token

Hello API.video team,

I’ve noticed that the current upload token allows for the upload of multiple videos and without any metadata about the video using any upload token. This approach may not be the most secure solution for frontend applications. I suggest implementing a system where each upload token is linked to a specific video container. This would enhance security, as the backend would always have the necessary information about which video was uploaded by whom without requiring any additional information from the frontend.

Hey there,

Thanks for the suggestion! it’s actually already possible today.

With the upload token, you can also pass a video id: Upload with an delegated upload token that means, that on the backend, you can already create a video object, pass it to the frontend and then assign it to a specific video id.

Thank you for your response.

I have noticed that the videoId field is missing in both the Node.js SDK and the Flutter uploader. Could you please check if this field is supported?

Also, the current solution addresses only a part of the problem, allowing the frontend to upload videos into video oject. However, it still leaves room for misuse, as the same token can be used for multiple videos. Additionally, the frontend has the flexibility to choose the videoId, which might not align with our desired structure where all uploads should be associated with a specific video object.

To address these issues, I propose the following solution:

1. First, create a video object:

   const video = await this.client.videos.create(...);
   

2. Next, create an upload token specific to this video object:

   const token = await this.client.uploadTokens.createToken({
     ttl: 3600,
     videoId: video.videoId
   });
   

3. Send the generated token to the client for use during the upload process.

This approach ensures that each upload is associated with a specific video object and prevents the token from being used for multiple videos. It enforces a more controlled and secure upload process.

if this could be implement will be great

Thanks for the suggestion, our engineering team will look into the feasibility of this feature.

However, please note that the token contains a TTL, if you set a short TTL, the users will not be able to abuse the token. e.g:

const token = await this.client.uploadTokens.createToken({
  ttl: 10,
});

Second, if you already uploaded video to a video object, you cannot re-upload another video to the same object, hence, once the user uploaded one video, the video id becomes useless, furthermore, even if the user is trying to abuse the token, with a very short ttl, assuming that the token was intercepted, it’s unlikely that the abuser will be able to act that fast on the token, as it will expire before they will be able to utilize it.

Tying the token to a video id won’t really resolve the security issue, the best way to handle that is:

1. use domain referrer headers, only your domain will be able to get the token from the server
2. use TTL that is very short

The node.js client library is a backend library, hence it will only generate the token, however, I will make to pass on the fact that the feature is missing from Flutter uploader.

I’m not sure if this works for this specific case, but in addition to everything that Artem mentions you can also delete the token once it is used (make the call with nodejs in your backend), this way you avoid that it is used again, you will need to create one every time you want to upload a video.

Really good point by @diego, you can leverage the upload-token endpoint: Delete an upload token

deleting the token seems reasonable to me for now, thank you both for responding to me