Skip to Content

TwentyThree™ API

API Method: /api/photo/get-upload-token

Pre-authenticate an upload, allowing your client to upload directly to TwentyThree's servers from a web browser.

This method can be used to pre-authenticated uploads to a site without proxying them through your servers and the API. The flow is described in detail in the Browser-based uploads section of the API documentation, but in general terms this method will return a token which can be included in a standard HTML form to upload photos or videos directly to TwentyThree's servers.


return_urlThe URL where the user is return after both upload success and failure. See the Flow section for more information. The callback is a GET request when permitted (when the return data is less than 1500 chars) and a POST in all other cases; so your callback handler needs to accept both GET and POST. If return_url is empty or omitted, the request will return a simple HTTP 200 OK mesage.
background_return_pReturn to the callback url in the background. If this parameter is set to 1 the upload request will not redirect the client directly back to return_url. Instead, a request is made to return_url from the TwentyThree servers and a plain text document in returned containing status information. This option is design for uploading through clients wuch as Adobe Flash, where a client-side redirected might not be honoured. (The background callback takes the form of a HTTP GET request with a maximum length of 1500 chars.)
user_idThe user's ID. If no user ID is given, the objects will be uploaded anonymously. Requires super, otherwise files are uploaded using the authenticated user.
album_idA album (or channel) ID. Multiple values should be comma-separated.
titleA title for the upload. All HTML tags will be stripped away from the title.
descriptionA description of upload. The value can include save HTML tags such as <b> or <p>; however, if any disallowed tags are included, all html with be stripped from the description.
tagsSpace-separated list of tags to attach to the uploaded file.
publishShould the file be published in the site immediately?
Default is 1.
Valid values: 0 or 1
absolute_urlIf the uploaded photo or video is to be associated with a different canonical URI from the on assigned by default, set it here.
valid_minutesHow many minutes should the upload token be valid for. The default is 180 minutes (or 3 hours). The minimum value is 15 minutes and the maximum is 24 hours.
max_uploadsHow many files can be uploaded using the returned token. The default is 1 upload; the maximum is 100

In addition to the standard parameters, any custom variable configured for photo objects can be set using the variable key as a parameter.

Any extra parameters sent to this method will be repeated in the callback request to return_url (if given).

Permission level

The minimum required permission level is:


Example XML Response

<response status="ok" permission_level="write" 
  message="The upload token is ready to use" cached="0">
  <title>A title for the new upload</title>
  <description>... and a prelimiary description</description>
  <tags>product:1234, testemonial</tags>

Example JSON Response

  "status": "ok", 
  "message":"The upload token is ready to use",
    "valid_minutes": "180", 
    "description": "... and a prelimiary description", 
    "upload_token": "022fe6e3fb42758d6147c539727c5358af3524b1", 
    "max_uploads": "1", 
    "album_id": "", 
    "return_url": "", 
    "title": "A title for the new upload", 
    "valid_until": "1266713254", 
    "publish": "1", 
    "tags": "product:1234, testemonial",
    "user_id": "17488"
  "p": "1",
  "size": "1",
  "site": { ... },
  "endpoint": "/api/photo/get-upload-token"

The callback

The callback URL is defined by the return_url parameter, and the callback request will always take the form of a HTTP 301 redirect to a GET-style address.

The request will always include the upload_token and domain as a parameter. If the upload succeeded, the parameters photo_id, token, tree_id will be included. On upload failure, the callback includes an error_message parameter. See flow details.