Create a signed upload URL
Mint a pre-signed URL that lets a client upload bytes without the service-role key.
Mint a one-shot pre-signed URL for path. The caller hands the returned URL + token to an untrusted client (browser, mobile app, third-party worker) so it can upload bytes without seeing your service-role key. The receiving side uses upload_to_signed_url to consume the token.
Service-role key required
The pre-sign endpoint itself rejects the anon key — call this method server-side with a service-role JWT. The URL it returns is what you ship to the untrusted client.
Signature
supabase.storage.from(bucket_id).create_signed_upload_url(path,upsert: nil)Parameters
| Name | Type | Required | Description |
|---|---|---|---|
path | String | Required | Destination object path inside the bucket. The pre-signed URL is bound to this exact path — the client cannot rewrite it. |
upsert | Boolean | Optional | true to send x-upsert: true at pre-sign time so the eventual upload can overwrite an existing object at path. Omit/nil to send no x-upsert header (storage-api defaults to no-overwrite). |
Returns
Struct with signed_url (fully-qualified URL, alias signedUrl / signedURL), token (the bearer token parsed out of the URL's ?token=... for caller convenience), and path (echo of the requested path).
Example — mint, ship, upload
# Server side — uses your service-role-bearing client.
signed = supabase.storage.from("uploads").create_signed_upload_url(
"incoming/avatar-#{user_id}.png"
)
# Send signed.signed_url + signed.token to the browser. The page then PUTs the
# bytes to the URL directly, OR — if Ruby code consumes the token — uses
# upload_to_signed_url (see /reference/storage/uploadtosignedurl).
{ url: signed.signed_url, token: signed.token, path: signed.path }Example — allow overwrite
signed = supabase.storage.from("uploads").create_signed_upload_url(
"user-#{user_id}/avatar.png",
upsert: true
)Example — alternate reader names
signed = supabase.storage.from("uploads").create_signed_upload_url("scratch.bin")
signed.signed_url # snake_case
signed.signedUrl # camelCase alias
signed.signedURL # all-caps aliasThree reader aliases for the signed URL
Types::SignedUploadURL exposes the URL under three reader names — signed_url, signedUrl, and signedURL — all returning the same String. The same alias convention applies to create_signed_url / create_signed_urls (which return Hashes with both string keys).