Update: Authenticated Access to S3


Trello will begin requiring API key and token authorization via the Authorization header to access card attachment download URLs.

Update: This was previously announced but the implementation has changed enough that we are re-announcing. Query parameter-based authorization will be turned off on January 25, 2021. The manually built /download/ routes we previously recommended continue to be our recommendation moving forward.

We will be reaching out directly to developers who are using query parameters for authorization to ensure that your applications are updated before query parameter-based auth is turned off.


Authorization for attachments will be turned on for individual enterprises on an enterprise-by-enterprise fashion. We will create a new changelog card at the point in time it is going to be turned on for all attachments.

As of right now, you can construct the future-proof /download/ URLs and pass in an Authorization header. We HIGHLY recommend updating to use this access pattern now as no changes will be required when authorization is required. More on this in Opt In To Try New Routes below.

The previously announced query-based authorization will be turned off on January 25, 2021.


Currently, when you make a request to GET a file attachment on a card, you will receive back a payload that includes the URL at which the file is hosted.

For instance, with the following request:

curl https://api.trello.com/1/cards/{idCard}/attachments/?fields=url&key={{apiKey}}&token={{apiToken}}

You’d get back a HTTP 200 response with the following body:

  "id": "5ef22a288dcee602857a9990",
  "url": "https://trello-attachments.s3.amazonaws.com/5b6893f01cb3228998cf629e/5b6b3ed249cf2381d501427c/c017c7020704c12468c868be104e4ed4/me.png"

The URL provided in url is publicly available and requires no authorization of any sort to access.

Moving forward, public access to these files will be turned off. And the value returned for the url will no longer be the location where the file is hosted. Instead it will be a URL that includes /download/ in the path, similar to below:

  "id": "5ef22a288dcee602857a9990",
  "url": "https://api.trello.com/1/cards/5edfa37673e537161016361c/attachments/5ef22a288dcee602857a9990/download/Screen_Shot_2020-06-23_at_11.13.18_AM.png"

The /download/ URL format is the following:


If you are using the files directly in your application as a single user, you can add in an API key and token to the request to the /download/ URL.

Making a GET request with the key and token in the Authorization header will return the hosted file.

For instance, here is how you’d make the request with curl for an attachment with the ID 5edfd184387b678655b58348 and the attachment file named my_image.png:

curl -H "Authorization: OAuth oauth_consumer_key=\"{{key}}\", oauth_token=\"{{token}}\"" https://api.trello.com/1/cards/5e839f3696a55979a932b3ad/attachments/5edfd184387b678655b58348/download/my_image.png

If your application needs to give broader access to the file (like showing the file to multiple users), you do not want to leak the key and token. Instead, your client should download a local copy of the file and then manage access appropriately.

Opt In To Try New Routes

You can currently construct the /download/ routes and pass in authorization. We HIGHLY recommend updating to use this access pattern now as no changes will be required when authorization is required.

When constructing the new routes, remember that the name property is user modifiable and may change. For use as a file path either use the new fileName property, or parse the file name out of the url.


Can i access to private board/card’s images without login?
(I have generated the attachment URL with authorization header, now I want to send image url to another person). Since the user doesn’t have the login, can he access it? Or any other way to send a downloadable link to others? (My board is private).
I’m trying to download the attachment to the local and send it from there(local).
When try to download from private board, it says unauthorized permission requested
Below is code sample that I tried to download the image to local.

function file_get_contents_curl($url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($ch, CURLOPT_URL, $url);
    $data = curl_exec($ch);
    return $data;
$data = file_get_contents_curl('https://trello.com/1/cards/613045d422b04355c633730a/attachments/613045f5ce12596c264df8cd/download/161462203_2344483315686428_8238734825821897385_o.jpg');
$fp = 'logo-2.jpg';
file_put_contents( $fp, $data );

Do you send the key in the header? The request URL looks good to me.
Don’t know if its any different but im using: https://api.trello.com/ instead of https://trello.com/

I think based on that, you can’t turn around and share it publicly without first downloading the image and then sharing outside of Trello.

I tried doing that, i was able to download public board image in my local but not private board image.

How are you passing your key and token? It needs to be passed in the header in oauth1.0 format.