Update: Authenticated Access to S3

tl;dr

Trello will begin requiring API key and token authorization via the Authorization header to access card attachment download URLs.

Update: This was previously announced but the implementation has changed enough that we are re-announcing. Query parameter-based authorization will be turned off on January 25, 2021. The manually built /download/ routes we previously recommended continue to be our recommendation moving forward.

We will be reaching out directly to developers who are using query parameters for authorization to ensure that your applications are updated before query parameter-based auth is turned off.

Timeline

Authorization for attachments will be turned on for individual enterprises on an enterprise-by-enterprise fashion. We will create a new changelog card at the point in time it is going to be turned on for all attachments.

As of right now, you can construct the future-proof /download/ URLs and pass in an Authorization header. We HIGHLY recommend updating to use this access pattern now as no changes will be required when authorization is required. More on this in Opt In To Try New Routes below.

The previously announced query-based authorization will be turned off on January 25, 2021.

Details

Currently, when you make a request to GET a file attachment on a card, you will receive back a payload that includes the URL at which the file is hosted.

For instance, with the following request:

curl https://api.trello.com/1/cards/{idCard}/attachments/?fields=url&key={{apiKey}}&token={{apiToken}}

You’d get back a HTTP 200 response with the following body:

[{
  "id": "5ef22a288dcee602857a9990",
  "url": "https://trello-attachments.s3.amazonaws.com/5b6893f01cb3228998cf629e/5b6b3ed249cf2381d501427c/c017c7020704c12468c868be104e4ed4/me.png"
}]

The URL provided in url is publicly available and requires no authorization of any sort to access.


Moving forward, public access to these files will be turned off. And the value returned for the url will no longer be the location where the file is hosted. Instead it will be a URL that includes /download/ in the path, similar to below:

[{
  "id": "5ef22a288dcee602857a9990",
  "url": "https://api.trello.com/1/cards/5edfa37673e537161016361c/attachments/5ef22a288dcee602857a9990/download/Screen_Shot_2020-06-23_at_11.13.18_AM.png?signature=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYmYiOjE1OTM0NTcyMDAsImV4cCI6MTU5MzQ2MjYwMCwicmVzIjoiNWVkZmEzNzY3M2U1MzcxNjEwMTYzNjFjOjVlZjIyYTI4OGRjZWU2MDI4NTdhOTk5MCIsImlhdCI6MTU5MzQ1OTkwNSwiYXVkIjoiVHJlbGxvIiwiaXNzIjoiVHJlbGxvIn0.8YcOCOFZ4rURYWoiYYEhAEeyQJyMcnSBRo83UviTA_k"
}]

The /download/ URL format is the following:

https://api.trello.com/1/cards/{idCard}/attachments/{idAttachment}/download/{attachmentFileName}

If you are using the files directly in your application as a single user, you can add in an API key and token to the request to the /download/ URL.

Making a GET request with the key and token in the Authorization header will return the hosted file.

For instance, here is how you’d make the request with curl for an attachment with the ID 5edfd184387b678655b58348 and the attachment file named my_image.png:

curl -H "Authorization: OAuth oauth_consumer_key=\"{{key}}\", oauth_token=\"{{token}}\"" https://api.trello.com/1/cards/5e839f3696a55979a932b3ad/attachments/5edfd184387b678655b58348/download/my_image.png

If your application needs to give broader access to the file (like showing the file to multiple users), you do not want to leak the key and token. Instead, your client should download a local copy of the file and then manage access appropriately.

Opt In To Try New Routes

You can currently construct the /download/ routes and pass in authorization. We HIGHLY recommend updating to use this access pattern now as no changes will be required when authorization is required.

When constructing the new routes, remember that the name property is user modifiable and may change. For use as a file path either use the new fileName property, or parse the file name out of the url.

1 Like