Request a presigned upload URL.
Returns a single-use presigned PUT URL the client uses to upload
directly to BeeOS-managed object storage (S3 / MinIO in production,
local disk in dev). The returned file_id is stable and can be
attached to subsequent POST /agents/{agentId}/invoke /
POST /agents/{agentId}/tasks bodies via the attachments[].file_id
field — see docs/guides/calling-agents.md
for an end-to-end example.
Files are scoped to the authenticated user; there is no list endpoint
— callers must remember their own file_id values (the recommended
workflow is to inline them into the invoke / task body that needs
them immediately after upload).
Authorizations
Pass a user JWT or a oag_ User API Key on the
Authorization: Bearer <token> header. Both are validated by
openapi-gateway against the Auth service.
Both credential types are user-scoped: every key (and every JWT) is bound to exactly one owner, and every route grants the caller full access to that owner's own resources. Cross-tenant access is denied by owner-ACL inside the handlers — there is no per-route scope vocabulary on this API.
Removed in v1.1.0: the legacy
agents:*/tasks:*/files:*/instances:*scope set has been dropped together with the403 insufficient_scopeerror. Existingoag_keys automatically gain full owner-level access and do not need to be re-issued. SDK calls that previously passedscopestocreateAPIKeyshould drop the argument. See the changelog at the bottom of this spec for the full migration note.