Skip to main content

Authentication

Filebase authentication is AWS Signature Version 4 (AWS4-HMAC-SHA256) — the same protocol used by AWS S3. Every modern S3 client and SDK signs requests automatically; you only need to supply your access key pair and, for some clients, the endpoint and region.

What you need

SettingValue
Access Key IDfrom console.filebase.com/keys
Secret Access Keyfrom console.filebase.com/keys
Regionauto
Services3
Signature versions3v4 (SigV4)

How signing works

For every API request:

  1. The client builds a canonical request string from the HTTP method, the URL path, the query string, the signed headers, and a SHA-256 hash of the body.
  2. The client computes a signing key from your secret access key, the request date, the region, and the service.
  3. The client HMAC-SHA-256s the canonical string with the signing key to produce the signature.
  4. The signature plus metadata (key ID, signed-header list, region, date) is sent in the Authorization header.

Filebase repeats the same calculation server-side and rejects the request if the signatures don't match.

Example: a signed request

This is what a GetObject request looks like on the wire:

GET /my-bucket/photo.jpg HTTP/1.1
Host: s3.filebase.io
X-Amz-Date: 20260501T120000Z
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Authorization: AWS4-HMAC-SHA256
  Credential=ACCESS_KEY/20260501/auto/s3/aws4_request,
  SignedHeaders=host;x-amz-content-sha256;x-amz-date,
  Signature=abc123...

The body of the request is hashed (SHA-256), and that hash is included in the canonical string. For streaming uploads where the body length isn't known in advance, use UNSIGNED-PAYLOAD as the content hash and authenticate the body with chunked signing.

SigV2 is not supported

Filebase does not accept the older AWS Signature Version 2. If your tool only supports SigV2, upgrade — every actively-maintained S3 client supports SigV4, and most have for years.

Pre-signed URLs

To grant short-lived access to a single object without sharing your access keys, generate a pre-signed URL. The signature is computed once, embedded in the URL as a query parameter, and the URL works for any client (browser, curl, fetch) until it expires.

Best practices

  • Never commit secret keys. Use environment variables or a secrets manager.
  • Rotate keys if you suspect exposure (Access Keys → Rotate in the console).
  • Use pre-signed URLs for browser uploads and time-limited shares — never hand out your raw secret key.
  • Keep clocks in sync. SigV4 includes a timestamp; if your client clock drifts more than 15 minutes from server time, requests fail with RequestTimeTooSkewed.

What's next