Skip to main content

Endpoint

GET /download/file

Authentication

This endpoint uses JWT authentication via a signed download URL token, not Bearer token authentication. The JWT token must be included in the query string as the token parameter.

Query Parameters

token
string
required
Signed JWT token authorizing the download. Generated by the Panel.

JWT Payload

The JWT token must contain:
server_uuid
string
required
The UUID of the server
file_path
string
required
Path to the file to download (relative to server root)
unique_id
string
Optional unique identifier for one-time use enforcement

Response

Returns the raw file contents with download headers:
  • Content-Disposition: attachment with filename
  • Content-Type: application/octet-stream
  • Content-Length: File size in bytes

Example Request

curl -X GET "https://wings.example.com/download/file?token=SIGNED_JWT_TOKEN" \
  -o downloaded-file.txt

Behavior

  • JWT tokens are typically one-time use and invalidated after the first download
  • File content is streamed directly to the client
  • The filename in Content-Disposition header is extracted from the file path
  • Path traversal is prevented - files outside the server directory cannot be accessed
Download URLs are typically generated by the Pterodactyl Panel when a user initiates a file download through the UI.

Error Responses

Missing or invalid JWT token, or token has already been used (one-time tokens)
Server or file does not exist
Failed to read file

JWT Token Generation

Download tokens are generated by the Panel and should:
  • Include server_uuid and file_path claims
  • Have a short expiration time (recommended: 5-15 minutes)
  • Include a unique_id claim for one-time use enforcement

Use Cases

  • Download world/map backups
  • Export configuration files
  • Download log files for analysis
  • Retrieve generated reports

Source Reference

Implementation: router/router_download.go (getDownloadFile function)

Build docs developers (and LLMs) love

Get started for freeTalk to us