Skip to main content
curl -X POST "https://your-zipline.com/api/user/files/clxyz123/password" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "secret123"
  }'

POST /api/user/files/:id/password

Verify the password for a password-protected file. Upon successful verification, a cookie is set that allows access to the file for 60 seconds.
This endpoint is rate-limited to 2 requests per second to prevent brute-force attacks.

Path Parameters

id
string
required
The file ID or file name to verify password for. Both the unique file ID (clxyz123) and the file name on server (abc123.png) are accepted.

Request Body

password
string
required
The password to verify for the file. Whitespace is automatically trimmed.

Response

success
boolean
Always true when the password is correct. If incorrect, an error is returned instead.

Example Request

{
  "password": "my-secret-password"
}

Example Response

{
  "success": true
}

Cookies Set on Success

When the password is verified successfully, a cookie named file_pw_{fileId} is set with:
  • Value: The verified password
  • Max Age: 60 seconds
  • HttpOnly: false (accessible to JavaScript)
  • Secure: false
  • SameSite: lax
  • Path: /
This cookie is used by the file access system to allow viewing the file without re-entering the password for 60 seconds.

Error Responses

404 Not Found
  • The file does not exist
  • The file does not have password protection enabled
403 Forbidden
The provided password is incorrect.
429 Too Many Requests
Rate limit exceeded. You can only make 2 password verification attempts per second.

Security Features

  1. Rate Limiting: Limited to 2 requests per second to prevent brute-force attacks
  2. Password Hashing: Passwords are stored hashed in the database and verified using secure hashing
  3. Audit Logging: Both successful and failed password attempts are logged with:
    • File name
    • IP address
    • User agent
    • Timestamp

Use Case

This endpoint is typically used when:
  1. A user tries to view a password-protected file
  2. The frontend prompts for a password
  3. The password is submitted to this endpoint
  4. If successful, the file can be accessed for the next 60 seconds
  5. After 60 seconds, the password must be re-entered
For automated access, consider updating the file to remove password protection using the Update File endpoint instead of repeatedly verifying passwords.

Build docs developers (and LLMs) love

Get started for freeTalk to us