Attachments
Konduit stores attachments in private storage. There are no public file links — every download is proxied through an authenticated route with strict response headers.
This page covers task attachments. For datatable attachments, see DataTables → Attachments.
POST /tasks/{taskId}/attachments
Upload a file. multipart/form-data with a file field.
curl -H "Authorization: Bearer kdt_..." \
-F "file=@./report.pdf" \
https://api.konduit.work/v1/tasks/<taskId>/attachments
Response:
{
"attachment": {
"id": "...",
"filename": "report.pdf",
"mime_type": "application/pdf",
"size_bytes": 845321,
"url": "/api/files/attachments/{ws}/{task}/{att}/report.pdf"
}
}
Limits and blocked types
| Constraint | Value |
|---|---|
| Max file size | 25 MB per file |
| Blocked extensions | exe, bat, cmd, com, msi, scr, ps1, vbs, js, sh |
The block list applies to extensions, not just MIME types — renaming evil.exe to evil.pdf.exe still gets rejected.
GET /tasks/{taskId}/attachments
List all attachments on a task.
{
"attachments": [
{
"id": "...", "filename": "report.pdf",
"mime_type": "application/pdf", "size_bytes": 845321,
"url": "/api/files/attachments/{ws}/{task}/{att}/report.pdf",
"uploaded_at": 1735689600,
"uploaded_by": { "id": "...", "name": "Alice" }
}
]
}
GET /tasks/{taskId}/attachments/{attachmentId}
Streams the file binary. The response includes hardening headers to prevent stored-XSS via uploaded HTML/SVG/JS:
Content-Disposition: attachment; filename="report.pdf"
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; sandbox
The Content-Disposition: attachment forces the file to download rather than render in the browser. The CSP blocks any script execution if the file is a .html, .svg, or other potentially-active type.
DELETE /tasks/{taskId}/attachments/{attachmentId}
Permanently removes the attachment. No recovery in v1.
URL stability
The url field in attachment responses is stable for the lifetime of the attachment. You can store these URLs in your integration; they'll keep working as long as the attachment exists. Once deleted, the URL returns 404.
URLs require a valid Konduit session or API key — they're not public.
# Download an attachment with your API key
curl -H "Authorization: Bearer kdt_..." \
-o report.pdf \
https://konduit.work/api/files/attachments/{ws}/{task}/{att}/report.pdf
The Authorization: Bearer header is accepted on the file proxy directly — no separate download endpoint needed. The API key's workspace must match the file's workspace, otherwise the response is 404 (not 403, to avoid leaking which workspace owns a given path).