API Reference
Access Policies
Share documents via public, wallet, email, or link policies
Auth required (Clerk Bearer). Policies control how third parties reach a document through the Access routes.
The policy object
{
"id": "pol123",
"documentId": "abc123xyz",
"createdById": "user_...",
"policyType": "link",
"permission": "download",
"value": "nanoid-32-char-token",
"expiresAt": null,
"maxAccesses": 10,
"accessCount": 3,
"label": "Auditor externo",
"isActive": true,
"createdAt": "2026-05-01T12:00:00.000Z"
}policyType | value meaning |
|---|---|
public | — (anyone with the document ID) |
wallet | Authorized wallet address (0x...) |
email | Authorized email address |
link | Server-generated share token |
permission is view (15-min presigned URL) or download (1-hour presigned URL).
POST /api/access-policies
| Body field | Type | Description |
|---|---|---|
documentId | string (required) | Target document |
policyType | string (required) | public | wallet | email | link |
permission | string | view (default) or download |
value | string | Wallet address or email, depending on type |
expiresAt | date-time | Optional expiry |
maxAccesses | number | Optional access cap |
label | string | Optional display label |
For link policies the server generates the token and the response also includes a shareUrl (https://jatoba-web3-production.up.railway.app/share/<token>).
201 policy · 400 invalid wallet/email · 404 document not in your tenant.
GET /api/access-policies/:documentId
Lists all policies for a document you own. 200 — { "policies": [Policy] }
PATCH /api/access-policies/:id
Update isActive, expiresAt, maxAccesses, or label. Only the policy creator may update. 200 — the updated policy.
DELETE /api/access-policies/:id
Only the policy creator may delete. 200 — { "deleted": true }