ONE.GY

OVERVIEW

Upload, download, manage, and delete files programmatically over HTTPS. All endpoints use the base URL shown below.

Guest uploads are temporary and expire automatically. Authenticated users can upload to their cloud drive with optional permanent retention.

BASE URL

https://dev.one.gy

MAX UPLOAD SIZE

10 GB

DEFAULT EXPIRY

1 DAY

ENCRYPTION

FERNET (AT REST)

UPLOAD

POST

/upload

Upload one or more files via multipart form data. Returns a management URL and a download URL. Multiple files are automatically bundled into a ZIP archive server-side.

To password-protect an upload, first upload the file, then set a password via the MANAGE endpoint using the management token from the upload response.

EXAMPLES

▶ CURL

# Upload a single file
curl -X POST https://dev.one.gy/upload \
  -F "files=@photo.jpg"

# Upload multiple files
curl -X POST https://dev.one.gy/upload \
  -F "files=@file1.txt" \
  -F "files=@file2.png"

# Upload and set a password
TOKEN=$(curl -s -X POST https://dev.one.gy/upload \
  -F "files=@photo.jpg" | python3 -c "import sys,json; print(json.load(sys.stdin)['management_token'])")
curl -X POST "https://dev.one.gy/manage/$TOKEN" \
  -H "X-Requested-With: XMLHttpRequest" \
  -d "password=yourpassword"

▶ WGET

wget --method=POST \
  --body-file=photo.jpg \
  --header="Content-Type: multipart/form-data; boundary=BOUNDARY" \
  -O response.json \
  "https://dev.one.gy/upload"

▶ PYTHON

import requests

# Upload a file
response = requests.post(
    "https://dev.one.gy/upload",
    files=[
        ("files", ("report.pdf", open("report.pdf", "rb"))),
        ("files", ("data.csv", open("data.csv", "rb"))),
    ],
    verify=False,  # Only if using self-signed certificate
)
result = response.json()
print(f"Download: {result['download_url']}")
print(f"Manage:   https://dev.one.gy{result['redirect']}")

# Upload and set a password
response = requests.post(
    "https://dev.one.gy/upload",
    files=[("files", ("secret.pdf", open("secret.pdf", "rb")))],
    verify=False,
)
token = response.json()["management_token"]
requests.post(
    f"https://dev.one.gy/manage/{token}",
    headers={"X-Requested-With": "XMLHttpRequest"},
    data={"password": "yourpassword"},
    verify=False,
)

PARAMETERS

NAME TYPE DESCRIPTION

files file One or more files (multipart/form-data). Use file for single E2E uploads.

short_url string "true" to generate a short 6-character URL code

e2e string "true" for client-side encrypted uploads (see E2E section)

e2e_salt string Base64 salt (required if e2e=true)

e2e_iv string Base64 IV (required if e2e=true)

RESPONSE

▶ 200 OK

{
  "redirect": "/manage/{management_token}",
  "download_url": "https://dev.one.gy/f/{file_id}/{filename}",
  "management_token": "{management_token}"
}

DOWNLOAD

GET

/f/{file_id}/{filename}

Download a file by its UUID. Including the filename in the URL ensures wget and curl -O save with the correct name. Password-protected files require the pw query parameter.

EXAMPLES

▶ WGET

# Public file
wget "https://dev.one.gy/f/{file_id}/{filename}"

# Password-protected file
wget "https://dev.one.gy/f/{file_id}/{filename}?pw=yourpassword"

▶ CURL

# Public file
curl -O "https://dev.one.gy/f/{file_id}/{filename}"

# Password-protected file
curl -O "https://dev.one.gy/f/{file_id}/{filename}?pw=yourpassword"

▶ PYTHON

import requests

# Public file
response = requests.get(
    "https://dev.one.gy/f/{file_id}/{filename}",
    verify=False,
)
with open("photo.jpg", "wb") as f:
    f.write(response.content)

# Password-protected file
response = requests.get(
    "https://dev.one.gy/f/{file_id}/{filename}",
    params={"pw": "yourpassword"},
    verify=False,
)

PARAMETERS

NAME TYPE DESCRIPTION

file_id path UUID of the file

filename path Original filename (optional, ensures correct save name)

pw query Password for protected files

RESPONSE

▶ 200 OK

Binary file data (streamed)

MANAGE FILE

GET

/manage/{token}

View file management page. The management token is returned in the upload response under redirect. Requires session ownership.

POST

/manage/{token}

Update file settings programmatically. Set the X-Requested-With: XMLHttpRequest header to receive a JSON response instead of a redirect.

EXAMPLES

▶ CURL - UPDATE SETTINGS

curl -X POST https://dev.one.gy/manage/{token} \
  -H "X-Requested-With: XMLHttpRequest" \
  -d "public=on" \
  -d "expires=7d" \
  -d "max_downloads=100"

PARAMETERS

NAME TYPE DESCRIPTION

public string "on" for public access (clears password)

password string Set file password (only when not public)

expires string 30m, 6h, 1d, 3d, 7d, or never (logged-in only)

max_downloads integer Max total downloads. File is deleted when limit is reached.

RESPONSE

▶ 200 OK (AJAX)

{
  "success": true,
  "has_password": false
}

DELETE FILE

POST

/delete/{token}

Permanently delete a file from the server. Requires the management token and session ownership. The token is the last segment of the management URL returned during upload.

EXAMPLES

▶ CURL

curl -X POST https://dev.one.gy/delete/{token} \
  -H "X-Requested-With: XMLHttpRequest"

RESPONSE

▶ 200 OK (AJAX)

{"success": true}

E2E ENCRYPTION

End-to-end encrypted files are encrypted on the client before upload. The server never sees the plaintext data or the encryption key. E2E files use AES-256-GCM with PBKDF2 key derivation (100,000 iterations).

The flow is: derive a key from a passphrase using PBKDF2 with a random salt, encrypt the file with AES-256-GCM using a random IV, then upload the ciphertext along with the salt and IV as form parameters.

UPLOAD WITH E2E ENCRYPTION

POST

/upload

▶ PYTHON - E2E UPLOAD

import os
import base64
import requests
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes

# Configuration
PASSPHRASE = "my-secret-passphrase"
FILE_PATH = "secret-document.pdf"
DOMAIN = "https://dev.one.gy"

# Generate random salt and IV
salt = os.urandom(16)
iv = os.urandom(12)

# Derive key from passphrase using PBKDF2
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    iterations=100000,
)
key = kdf.derive(PASSPHRASE.encode("utf-8"))

# Encrypt file with AES-256-GCM
with open(FILE_PATH, "rb") as f:
    plaintext = f.read()

aesgcm = AESGCM(key)
ciphertext = aesgcm.encrypt(iv, plaintext, None)

# Upload encrypted data with salt and IV
response = requests.post(
    f"{DOMAIN}/upload",
    files={"file": ("secret-document.pdf", ciphertext)},
    data={
        "e2e": "true",
        "e2e_salt": base64.b64encode(salt).decode(),
        "e2e_iv": base64.b64encode(iv).decode(),
    },
    verify=False,
)
result = response.json()
print(f"Download: {result['download_url']}")
print(f"Manage:   {DOMAIN}{result['redirect']}")

DOWNLOAD AND DECRYPT E2E FILE

GET

/f/{file_id}/encrypted

Download raw encrypted data for E2E files. The response includes X-E2E-Salt and X-E2E-IV headers containing the Base64-encoded salt and IV needed for decryption.

▶ PYTHON - E2E DOWNLOAD AND DECRYPT

import base64
import requests
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes

# Configuration
PASSPHRASE = "my-secret-passphrase"
FILE_ID = "your-file-uuid-here"
DOMAIN = "https://dev.one.gy"
OUTPUT_FILE = "decrypted-document.pdf"

# Download encrypted data
response = requests.get(
    f"{DOMAIN}/f/{FILE_ID}/encrypted",
    verify=False,
)

# Extract salt and IV from response headers (comma-separated decimal byte values)
salt = bytes([int(x) for x in response.headers["X-E2E-Salt"].split(",")])
iv = bytes([int(x) for x in response.headers["X-E2E-IV"].split(",")])
ciphertext = response.content

# Derive the same key from the passphrase
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    iterations=100000,
)
key = kdf.derive(PASSPHRASE.encode("utf-8"))

# Decrypt with AES-256-GCM
aesgcm = AESGCM(key)
plaintext = aesgcm.decrypt(iv, ciphertext, None)

with open(OUTPUT_FILE, "wb") as f:
    f.write(plaintext)
print(f"Decrypted file saved to {OUTPUT_FILE}")

E2E PARAMETERS

NAME TYPE DESCRIPTION

e2e string "true" to mark upload as end-to-end encrypted

e2e_salt string Comma-separated decimal byte values of 16-byte salt used for PBKDF2 key derivation (e.g. "142,55,201,44,..."). Base64-encoded strings are also accepted.

e2e_iv string Comma-separated decimal byte values of 12-byte IV used for AES-256-GCM encryption (e.g. "10,233,78,..."). Base64-encoded strings are also accepted.

RESPONSE HEADERS (ENCRYPTED DOWNLOAD)

HEADER TYPE DESCRIPTION

X-E2E-Salt string Comma-separated decimal byte values of salt for PBKDF2 key derivation

X-E2E-IV string Comma-separated decimal byte values of IV for AES-256-GCM decryption

ERROR CODES

All error responses return an appropriate HTTP status code. JSON endpoints return an error field in the response body.

CODE STATUS DESCRIPTION

400 Bad Request No files provided or invalid request format

403 Forbidden Session does not own this file or insufficient permissions

404 Not Found File not found, expired, or invalid token

410 Gone Download limit reached, file has been removed

413 Payload Too Large File exceeds the maximum upload size (10 GB)

429 Too Many Requests Rate limit exceeded, try again later

507 Insufficient Storage Server disk is full or user storage quota exceeded

EXAMPLE ERROR RESPONSE

▶ JSON ERROR

{"error": "No files"}

RATE LIMITS

API endpoints are rate-limited to prevent abuse. Authenticated users have higher limits than guests. When a rate limit is exceeded, the server returns 429 Too Many Requests.

ENDPOINT GUESTS AUTHENTICATED

/upload Limited Higher limit

/f/{id} Limited Higher limit

/manage/{token} Limited Higher limit

/delete/{token} Limited Higher limit