I read the following article.
tl;dr
Trello will begin requiring API key and token authorization to access card attachment download URLs.
Timeline
As of right now, you can construct the future-proof /download/ URLs and pass in authorization. We HIGHLY recommend updating to use this access pattern now as no changes will be required when authorization is required. More on this in Opt In To Try New Routes below.
We are working to determine the date at which we will limit all authorization validity to 1 hour permanently.
De…
According to this article, when we throw a request like
curl https://api.trello.com/1/cards/{idCard}/attachments/?fields=url&key={{apiKey} 14}&token={{apiToken}}
we are supposed to receive a response with a signature parameter, such as
[{
"id": "5ef22a288dcee602857a9990",
"url": "https://api.trello.com/1/cards/5edfa37673e537161016361c/attachments/5ef22a288dcee602857a9990/download/Screen_Shot_2020-06- 23_at_11.13.18_AM.png?signature=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1OTM0NTcyMDAsImV4cCI6MTU5MzQ2Mj YwMCwicmVzIjoiNWVkZmEzNzY3M2U1MzcxNjEwMTYzNjFjOjVlZjIyYTI4OGRjZWU2MDI4NTdhOTk5MCIsImlhdCI6MTU5MzQ1OTkwNSwiYXVkIjoiVHJlb GxvIiwiaXNzIjoiVHJlbGxvIn0.8YcOCOFZ4rURYWoiYYEhAEeyQJyMcnSBRo83UviTA_k"
}]
However, when I throw a request, I get a response with no Signature parameter. In other words, I get a response like the following
[{
"id": "5ef22a288dcee602857a9990",
"url": "https://api.trello.com/1/cards/5edfa37673e537161016361c/attachments/5ef22a288dcee602857a9990/download/Screen_Shot_2020-06-23_at_11.13.18_AM.png"
}]
This does not allow me to retrieve attachments via the API. What should I do?
Hi @DaikiAkimoto and welcome! This particular topic has caused some confusion. Especially with the two separate posts regarding this update.
Basically, what you’re looking for is the update below stating that you will now need to pass your key and token in the authorization header via OAuth1.0 methods.
tl;dr
Trello will begin requiring API key and token authorization via the Authorization header to access card attachment download URLs.
Update: This was previously announced but the implementation has changed enough that we are re-announcing. Query parameter-based authorization will be turned off on January 25, 2021. The manually built /download/ routes we previously recommended continue to be our recommendation moving forward.
We will be reaching out directly to developers who are using quer…