Using S3 Keys in Public Management API File Uploads

The Public API uses S3 keys as part of its attachment workflow. Here’s how:

Upload Flow

1.  Get a presigned URL — Call the presigned URL endpoint with your filename and file size. The API generates an S3 key automatically (format: {tenantId}/{uuid}) and returns it along with the presigned URL and form fields.

2.  Upload to S3 — Use the presigned URL to upload your file directly to S3 (temporary bucket).

3.  Submit the S3 key — When creating or updating an attachment via the API, include the s3Key returned from step 1 in your request.

What Happens After Upload

Once you submit the S3 key:

•   The system validates the file for malware (using GuardDuty tags) and file size •   The file is copied from the temporary bucket to a permanent document bucket •   The S3 key is stored with your attachment record

In Responses

Attachments returned by the API include the s3Key field, which can be used to:

•   Generate download links (signed URLs valid for 1 hour) •   Reference the file for future operations

Important: You cannot choose your own S3 key—it is generated by the system. Always use the S3 key provided by the presigned URL response.