Navigation

Attachments

Konduit stores attachments in private storage. There are no public file links — every download is proxied through an authenticated route with strict response headers.

This page covers task attachments. For datatable attachments, see DataTables → Attachments.

POST /tasks/{taskId}/attachments

Upload a file. multipart/form-data with a file field.

curl -H "Authorization: Bearer kdt_..." \
     -F "file=@./report.pdf" \
     https://api.konduit.work/v1/tasks/<taskId>/attachments

Response:

{
  "attachment": {
    "id": "...",
    "filename": "report.pdf",
    "mime_type": "application/pdf",
    "size_bytes": 845321,
    "url": "/api/files/attachments/{ws}/{task}/{att}/report.pdf"
  }
}

Limits and blocked types

Constraint Value
Max file size 25 MB per file
Blocked extensions exe, bat, cmd, com, msi, scr, ps1, vbs, js, sh

The block list applies to extensions, not just MIME types — renaming evil.exe to evil.pdf.exe still gets rejected.

GET /tasks/{taskId}/attachments

List all attachments on a task.

{
  "attachments": [
    {
      "id": "...", "filename": "report.pdf",
      "mime_type": "application/pdf", "size_bytes": 845321,
      "url": "/api/files/attachments/{ws}/{task}/{att}/report.pdf",
      "uploaded_at": 1735689600,
      "uploaded_by": { "id": "...", "name": "Alice" }
    }
  ]
}

GET /tasks/{taskId}/attachments/{attachmentId}

Streams the file binary. The response includes hardening headers to prevent stored-XSS via uploaded HTML/SVG/JS:

Content-Disposition: attachment; filename="report.pdf"
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none'; sandbox

The Content-Disposition: attachment forces the file to download rather than render in the browser. The CSP blocks any script execution if the file is a .html, .svg, or other potentially-active type.

DELETE /tasks/{taskId}/attachments/{attachmentId}

Permanently removes the attachment. No recovery in v1.

URL stability

The url field in attachment responses is stable for the lifetime of the attachment. You can store these URLs in your integration; they'll keep working as long as the attachment exists. Once deleted, the URL returns 404.

URLs require a valid Konduit session or API key — they're not public.

# Download an attachment with your API key
curl -H "Authorization: Bearer kdt_..." \
     -o report.pdf \
     https://konduit.work/api/files/attachments/{ws}/{task}/{att}/report.pdf

The Authorization: Bearer header is accepted on the file proxy directly — no separate download endpoint needed. The API key's workspace must match the file's workspace, otherwise the response is 404 (not 403, to avoid leaking which workspace owns a given path).

Next