UC.Files | API Docs

API Reference

Base URL: https://files.union-crax.xyz
All request and response bodies use JSON unless noted. All responses are UTF-8.

Authentication
Most write endpoints require authentication. You can authenticate two ways:

1. Session cookie — Log in via POST /api/auth/login or register via POST /api/auth/register. A fh_session cookie is set automatically.

2. API key header — Pass your 32-character account hash directly:
X-API-Key: your32charhashhere

The account hash is the credential. There are no passwords. Keep it secret.

Register (Create Account)

POST /api/auth/register

No body required. Creates a new account and starts a session.

Response:
{"ok":true,"hash":"V3ryL0ngRand0mKey32CharsHere","created_at":"2026-03-02T12:00:00Z"}

Save the returned hash. It is your only login credential. There is no recovery mechanism.

Log In

POST /api/auth/login

Body: {"hash":"your32charhashhere"}

Example:

curl -c cookies.txt -X POST -H "Content-Type: application/json" \

  -d '{"hash":"your32charhashhere"}' https://files.union-crax.xyz/api/auth/login

Response:
{"ok":true,"hash":"your32charhashhere"}

Sets a fh_session cookie valid for 30 days.

Log Out

POST /api/auth/logout

Invalidates the current session cookie. No body required.

Response: {"ok":true}

Account Info

GET /api/auth/me [auth required]

Returns current account details and file count.

Example (API key):
curl -H "X-API-Key: your32charhashhere" https://files.union-crax.xyz/api/auth/me

Response:
{"ok":true,"hash":"your32charhashhere","created_at":"2026-03-02T12:00:00Z","file_count":5}

Upload a File

POST /api/upload [auth required]

Content-Type: multipart/form-data
Fields: file — the file to upload (required)

Example:

curl -H "X-API-Key: your32charhashhere" \

  -F "[email protected]" https://files.union-crax.xyz/api/upload

Response:
{"ok":true,"file_id":"AbCd1234XyZ56789","url":"/f/AbCd1234XyZ56789","written":204800}

Share /f/<file_id> — the file landing page. The raw download is at /dl/<file_id>.

List My Files

GET /api/files [auth required]

Returns all files owned by the authenticated account.

Example:
curl -H "X-API-Key: your32charhashhere" https://files.union-crax.xyz/api/files

Response:

{"ok":true,"files":[
  {
    "file_id":"AbCd1234XyZ56789",
    "owner":"your32charhashhere",
    "original_name":"photo.jpg",
    "size":204800,
    "uploaded_at":"2026-03-02T12:00:00Z",
    "downloads":3,
    "views":12
  }
]}

Delete a File

POST /api/delete [auth required, own files only]

Body: {"id":"AbCd1234XyZ56789"}

Example:

curl -H "X-API-Key: your32charhashhere" \

  -X POST -H "Content-Type: application/json" \

  -d '{"id":"AbCd1234XyZ56789"}' https://files.union-crax.xyz/api/delete

Response: {"ok":true}

Returns 403 Forbidden if the file belongs to another account.

File Landing Page (Public)

GET /f/<file_id>

Human-readable HTML page showing the file name, size, upload date, view and download counts, and a download button. Visiting this page increments the view counter.

Share this URL with anyone — no account needed to view or download.

Raw Download (Public)

GET /dl/<file_id>

Serves the raw file bytes with Content-Disposition: attachment. Increments the download counter.

Example:
curl -OJ https://files.union-crax.xyz/dl/AbCd1234XyZ56789

Create Folder

POST /api/folders/create [auth required]

Body: {"name":"my-folder"}

Response: {"ok":true,"name":"my-folder"}

List Folders

GET /api/folders [auth required]

Response:
{"ok":true,"folders":[{"name":"my-folder","owner":"...","created_at":"..."}]}

Delete Folder

POST /api/folders/delete [auth required]

Body: {"name":"my-folder"}

Deletes the folder and all files inside it.

Response: {"ok":true,"deleted_files":3}

Mass Delete Files

POST /api/mass-delete [auth required, own files only]

Body: {"ids":["fileId1","fileId2"]}

Response: {"ok":true,"deleted":2}

Create Public Upload Link

POST /api/publink/create [auth required]

Body: {"folder":"","minutes":60}

Creates a time-limited URL where anyone can upload files to your account (optionally into a specific folder).

Response: {"ok":true,"token":"abc123","url":"/pub/abc123","expires_at":"..."}

List Active Public Links

GET /api/publinks [auth required]

Returns all non-expired public upload links owned by the authenticated account.

Response:
{"ok":true,"links":[{"token":"abc123","owner":"...","folder":"","expires_at":"...","created_at":"..."}]}

Revoke Public Upload Link

POST /api/publink/delete [auth required]

Body: {"token":"abc123"}

Response: {"ok":true}

Global Stats (Public)

GET /api/stats

Returns total files and total bytes stored across all users. No authentication required.

Response: {"ok":true,"total_files":42,"total_size":1073741824}

Error Codes

All error responses are plain-text with the appropriate HTTP status:

400 — Bad request (missing fields, invalid JSON)
401 — Unauthorized (missing or invalid session / API key)
403 — Forbidden (file belongs to another account)
404 — File not found
405 — Wrong HTTP method
500 — Server error