fyuhls exposes a token-based API for uploads, metadata, and download-link workflows.

• create API tokens with explicit scopes
• users create those personal tokens from their own /settings page
• treat signed download links as opaque and temporary
• expect delivery mode to vary by policy and storage backend

External uploader tools should use:

• a personal API token

They should not use:

• browser cookies
• the account password

• file metadata now includes share-field style data aligned with the public download page
• signed links include expiry information
• clients should not assume a fixed transport mode like PHP-only or CDN-only
• multipart uploads can use signed part URLs or the app-routed part-upload endpoint, depending on the storage path
• managed uploads can short-circuit on dedup when the install already has the same object hash stored

The current user-facing token scope picker supports:

• files.upload
• files.read
• files.write
• stats.read
• remote.upload

Use them like this:

• files.upload for uploader tools and multipart session work
• files.read for listing files or folders, reading file metadata, bulk links, and download-link generation
• files.write for folder creation and file or folder changes
• stats.read for earnings and payout stats
• remote.upload for remote URL import flows

Multipart clients should be aware of the direct part-upload route:

• POST /api/v1/uploads/sessions/{id}/parts/upload/{part}

That exists alongside the signed-parts flow and is useful when the install is using the app-routed upload path instead of a direct object-storage upload.

• build against the API contract, not an assumed delivery backend
• use managed uploads and multipart flows for large files
• keep tokens scoped narrowly
• document which scopes your uploader tool actually needs instead of asking users to grant everything by default

• Uploads and Downloads
• Storage Nodes