Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/noelzappy/vaulx/llms.txt

Use this file to discover all available pages before exploring further.

Vaulx exposes an HTTP API built on the Chi v5 router. The majority of routes return server-rendered HTML for direct browser use and HTMX partial updates, while upload, preview, folder listing, and multipart S3 workflows use JSON. All protected routes require a valid session cookie obtained via POST /auth/login.

Base URL

http://localhost:8080
Replace localhost:8080 with your deployment hostname and port. When running behind a TLS-terminating reverse proxy, use https:// instead.

Request Formats

There is no API key authentication — all requests use the browser session cookie set by POST /auth/login. See the Authentication page for full details.
Route typeExpected Content-TypeNotes
HTML form routesapplication/x-www-form-urlencodedStandard HTML form POST bodies
JSON API routes (/api/...)application/jsonBoth request and response bodies are JSON
HTMX partial requestsAnyInclude HX-Request: true to receive partial HTML fragments
When the HX-Request: true header is present on a request, applicable handlers return only the relevant HTML partial rather than the full page layout.

Response Formats

Response typeContent-Type headerAdditional headers
Full HTML pagestext/html; charset=utf-8
JSON API responsesapplication/json
HTMX toast notificationstext/html; charset=utf-8HX-Trigger with a JSON payload
The HX-Trigger response header carries a JSON payload that HTMX uses to fire client-side events — for example, to display toast notifications after a file upload or deletion.

Authentication

Authentication is session-cookie-based. After a successful POST /auth/login, the server sets a vaulx-session cookie that must be sent with every subsequent request to a protected route. See the Authentication page for the full login flow, cookie attributes, and curl examples.

Rate Limiting

Vaulx applies per-IP rate limits on two endpoints to reduce abuse:
EndpointLimit
POST /auth/login10 requests per IP per minute
POST /s/{slug}/zip/prepare5 requests per IP per minute
Requests that exceed the limit receive a 429 Too Many Requests response.

Public Routes

The following share routes are accessible without authentication:
MethodPathDescription
GET/s/{slug}Render the public share page for a slug
GET/s/{slug}/downloadDirect download of the shared file
GET/s/{slug}/file/{fileID}Download a specific file within a share
GET/s/{slug}/zipStream a ZIP archive of the share
POST/s/{slug}/zip/prepareEnqueue a ZIP build job for the share (rate-limited: 5/min per IP)
GET/s/{slug}/zip/statusPoll the status of an in-progress ZIP job

Full Route Table

All other routes require a valid vaulx-session cookie (marked Auth required).

Root

MethodPathAuth requiredDescription
GET/NoRedirects to /files

Auth

MethodPathAuth requiredDescription
GET/auth/loginNoRender the HTML login page
POST/auth/loginNoAuthenticate with email + password; sets session cookie (rate-limited: 10/min per IP)
POST/auth/logoutNoExpire the session cookie and redirect to /auth/login

Files

MethodPathAuth requiredDescription
GET/filesYesList files and folders in the root
GET/files/searchYesSearch files by name
GET/files/{folderID}YesList the contents of a specific folder
DELETE/files/{fileID}YesDelete a file (moves to trash)
PATCH/files/{fileID}/nameYesRename a file
PATCH/files/{fileID}/folderYesMove a file to a different folder
POST/files/{fileID}/shareYesCreate a public share link for a file
GET/uploadYesRender the upload page

Folders

MethodPathAuth requiredDescription
POST/files/foldersYesCreate a new folder
DELETE/files/folders/{folderID}YesDelete a folder
PATCH/files/folders/{folderID}YesRename a folder
POST/files/folders/{folderID}/shareYesCreate a public share link for a folder

Upload

MethodPathAuth requiredDescription
POST/api/upload/initYesInitialise a single-file upload; returns a presigned S3 URL
POST/api/upload/confirm/{fileID}YesConfirm that an upload to S3 has completed
GET/api/file/{fileID}/previewYesFetch a preview/thumbnail URL for a file
GET/api/foldersYesReturn all folders as a JSON array

Shares

MethodPathAuth requiredDescription
GET/sharesYesList all active share links owned by the current user
DELETE/shares/{shareID}YesRevoke (delete) a share link

Profile

MethodPathAuth requiredDescription
GET/profileYesRender the profile settings page
POST/profileYesUpdate the current user’s display name
POST/profile/passwordYesChange the current user’s password

Multipart Upload (S3)

These endpoints proxy the S3 multipart upload lifecycle and are consumed by the browser-side upload client.
MethodPathAuth requiredDescription
POST/api/s3/multipartYesInitiate a new S3 multipart upload
GET/api/s3/multipart/{uploadId}YesList parts already uploaded for an in-progress multipart upload
GET/api/s3/multipart/{uploadId}/{partNumber}YesGet a presigned URL for uploading a specific part
DELETE/api/s3/multipart/{uploadId}YesAbort a multipart upload and discard uploaded parts
POST/api/s3/multipart/{uploadId}/completeYesComplete the multipart upload and assemble the final object

Admin

Admin routes are accessible only to users whose session role is admin. Requests from non-admin users receive a 403 Forbidden response.
MethodPathAuth requiredDescription
GET/admin/usersYes (admin)List all users
POST/admin/usersYes (admin)Create a new user
PATCH/admin/users/{userID}Yes (admin)Update a user’s details or role
GET/admin/auditYes (admin)View the audit log
GET/admin/trashYes (admin)View soft-deleted files
POST/admin/trash/{fileID}/restoreYes (admin)Restore a soft-deleted file
GET/admin/permissionsYes (admin)List all permission grants
POST/admin/permissionsYes (admin)Grant a permission to a user
DELETE/admin/permissions/{permID}Yes (admin)Revoke a permission grant

ZIP Download

Authenticated ZIP routes mirror the public share ZIP routes but operate on folders within the authenticated user’s own storage.
MethodPathAuth requiredDescription
GET/files/{folderID}/zipYesStream a ZIP archive of a folder
POST/files/{folderID}/zip/prepareYesEnqueue a background ZIP build job for a folder
GET/files/{folderID}/zip/statusYesPoll the status of an in-progress ZIP job

Build docs developers (and LLMs) love