Plik

Appearance

HTTP API

Full REST API reference. All endpoints accept/return JSON unless noted.

Public Endpoints

MethodPathDescription
GET/configServer configuration (feature flags, limits, downloadURL)
GET/versionBuild info — public, richer for admin sessions (see below)
GET/qrcode?url=...&size=...Generate QR code PNG
GET/healthHealth check

Upload & File Endpoints

Authentication: session cookie or X-PlikToken header.

MethodPathDescription
POST/Quick upload: create upload + add file
POST/uploadCreate upload with options
GET/upload/{uploadID}Get upload metadata
DELETE/upload/{uploadID}Delete upload
POST/file/{uploadID}Add file (multipart)
POST/file/{uploadID}/{fileID}/{filename}Add file with known ID (stream mode)
DELETE/file/{uploadID}/{fileID}/{filename}Remove file
GET/file/{uploadID}/{fileID}/{filename}Download file
HEAD/file/{uploadID}/{fileID}/{filename}File metadata
POST/stream/{uploadID}/{fileID}/{filename}Stream upload
DELETE/stream/{uploadID}/{fileID}/{filename}Cancel stream upload
GET, HEAD/stream/{uploadID}/{fileID}/{filename}Stream download
GET, HEAD/archive/{uploadID}/{filename}Download all files as zip

GET /version

Public endpoint. All callers receive version, clients, and releases. Admin sessions receive the full build details:

FieldPublicAdmin only
version
clients
releases
date
user
host
gitShortRevision
gitFullRevision
goVersion
isRelease
isMint

Create Upload (POST /upload)

json
{
    "ttl": 86400,
    "extend_ttl": false,
    "oneShot": false,
    "removable": true,
    "stream": false,
    "login": "foo",
    "password": "bar",
    "comments": "optional markdown",
    "e2ee": "age"
}

Response:

json
{
    "id": "TczL35OTIb3InNr6",
    "uploadToken": "50lGHbLEIrpJOl4uECddTI7pga...",
    "downloadDomain": "https://dl.example.com",
    "downloadURL": "https://dl.example.com/sub",
    "files": []
}

downloadDomain — raw domain configured as DownloadDomain, kept for backward compatibility. downloadURL — fully-qualified base URL for file/archive links. Present when PlikDomain or DownloadDomain is configured. Uses DownloadDomain + Path when set, otherwise PlikDomain + Path. Absent when neither domain is configured — clients should fall back to the URL they used to reach the server.

Add File (POST /file/{uploadID})

Send as multipart/form-data with file field. The X-UploadToken header is required (returned from upload creation).

Download File

The upload token is not required for public uploads. For password-protected uploads, provide HTTP Basic auth with the upload's login/password.

HTTP Range requests (Range header) are supported on file downloads, allowing partial content retrieval (206 responses).

GET /config — Selected Response Fields

FieldTypeDescription
downloadDomainstringRaw configured DownloadDomain (backward compat)
downloadURLstringBase URL for file/archive links. Present when PlikDomain or DownloadDomain is configured (DownloadDomain + Path, or PlikDomain + Path). Absent otherwise
plikDomainstringConfigured PlikDomain (public server URL, no path)
maxFileSizeintMax file size in bytes (-1 = unlimited)
feature_*stringFeature flag values: disabled, enabled, default, forced

Authentication Endpoints

MethodPathDescription
GET/auth/google/loginGet Google consent URL
GET/auth/google/callbackGoogle OAuth callback
GET/auth/github/loginGet GitHub consent URL
GET/auth/github/callbackGitHub OAuth callback
GET/auth/ovh/loginGet OVH consent URL
GET/auth/ovh/callbackOVH OAuth callback
GET/auth/oidc/loginGet OIDC consent URL
GET/auth/oidc/callbackOIDC callback
POST/auth/local/loginLogin { "login": "...", "password": "..." }
POST/auth/cli/initStart CLI auth session { "hostname": "..." }
POST/auth/cli/approveApprove CLI session { "code": "...", "comment": "..." }
POST/auth/cli/pollPoll CLI session { "code": "...", "secret": "..." }
GET/auth/logoutLogout

User Endpoints

Requires authenticated session cookie.

MethodPathDescription
GET/meCurrent user info
PATCH/meUpdate self-editable profile fields (name, email, theme, language)
DELETE/meDelete own account
GET/me/tokenList tokens (paginated)
POST/me/tokenCreate upload token { "comment": "..." }
DELETE/me/token/{token}Revoke token
GET/me/uploadsList uploads (paginated, filterable)
DELETE/me/uploadsRemove all uploads
GET/me/statsUser statistics

Admin Endpoints

Requires admin session cookie.

MethodPathDescription
POST/userCreate user
GET/user/{userID}Get user info
POST/user/{userID}Update user
DELETE/user/{userID}Delete user
GET/statsServer statistics
GET/usersList all users (paginated, filterable)
GET/users/search?q=...Search users (optional: provider, admin, limit)
GET/uploadsList all uploads (paginated, filterable)

Pagination

Paginated endpoints use cursor-based pagination. Parameters can be passed as query strings or as a JSON object in the X-Plik-Paging header.

ParameterDefaultDescription
limit20Max results per page
orderdescSort order (asc/desc)
beforeCursor: fetch items before this ID
afterCursor: fetch items after this ID

Paginated responses use this envelope:

json
{
    "before": "cursor-id-for-previous-page",
    "after": "cursor-id-for-next-page",
    "total": 142,
    "results": [...]
}

Pass the after value as the after query parameter to fetch the next page. Pass before to go backwards. A null cursor means there are no more pages in that direction.

Upload Filters

Upload listing endpoints (/me/uploads, /uploads) accept these optional query parameters:

ParameterTypeDescription
sortstringsize to sort by total upload size (default: createdAt)
userstringFilter by user ID (admin only)
tokenstringFilter by upload token (admin only)
oneShotboolFilter one-shot uploads
removableboolFilter removable uploads
streamboolFilter stream uploads
extendTTLboolFilter extend-TTL uploads
passwordboolFilter password-protected uploads
e2eeboolFilter end-to-end encrypted uploads

User Filters

User listing endpoints (/users) accept:

ParameterTypeDescription
providerstringFilter by auth provider (e.g. google, ovh, oidc, local)
adminboolFilter admin/non-admin users

Released under the MIT License.

Copyright © root-gg