SecuFileProduction
SecuFile API
A dual API: native REST + S3-compatible endpoint
Integrate with boto3, s3cmd, rclone, or directly via REST. Signed webhooks, Python/Go SDKs.
# Uploader un document chiffré côté client puis demander la signature
curl -X POST https://api.secuaas.com/v1/secufile/documents \
-H "Authorization: Bearer $SECUFILE_API_KEY" \
-H "Idempotency-Key: $(uuidgen)" \
-H "Content-Type: application/json" \
-d '{
"filename": "promesse-achat-12345.pdf",
"ciphertext_url": "https://blob.example.com/abc123",
"key_wrap": "vault://kms/key/01HX...",
"signers": [{"email":"client@example.com","role":"buyer"}]
}'
# → { "document_id": "doc_01HX...", "signature_url": "https://..." }bash
Auth Bearer
Tokens API avec scopes granulaires (documents:read, documents:write, signatures:create, audit:read…).
Idempotency-Key
Tous les POST acceptent un header Idempotency-Key (UUID v4) pour la sécurité de retry et la dédup en cas d'erreur réseau.
HMAC-signed webhooks
`X-Secufile-Signature` header (SHA-256), immutable payload, replay protection via `X-Secufile-Timestamp`.
OpenAPI 3.1
Full schema, automatic client generation, Postman collection, curl/Python/Go examples.
Vérification webhook
Chaque webhook envoyé par SecuFile est signé. Vérifiez la signature côté serveur pour rejeter les payloads non authentiques.
webhook-verify.js
// Vérification HMAC-SHA256 d'un webhook SecuFile
import crypto from 'node:crypto';
function verify(signature, body, secret) {
const expected = 'sha256=' + crypto
.createHmac('sha256', secret)
.update(body)
.digest('hex');
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expected),
);
}Endpoints principaux
POST /v1/documentsUploader un document chiffréGET /v1/documents/{id}Métadonnées + clé wrappéePOST /v1/documents/{id}/signaturesDemander une signaturePOST /v1/sharesCréer un lien signé à expirationGET /v1/auditImmutable audit stream, filterable by user/bucket/action, SIEM export.POST /v1/webhooksRegister a signed webhook (object.uploaded, share.accessed, retention.expired).