GET/api/documents/{documentId}/download

Download document attachment

Downloads the original stored file for a document as an attachment. The documentId path value is resolved against documents.document_id first, then documents.file_id. The route supports Auth.js session-cookie authentication and x-api-key fallback for machine clients, derives the tenant from the authenticated principal, requires document:read permission, and runs document authorization rules before reading the file from storage.

Path parameters

documentIdstring <uuid>Required

Document UUID from documents.document_id, or file UUID from documents.file_id. The handler resolves document_id first and falls back to file_id.

Header parameters

x-api-keystringOptional

Optional API key for machine-to-machine download requests. Used only when no valid Auth.js session cookie is present.

Response codes

200

Binary file stream with attachment Content-Disposition headers. Content-Type varies by stored MIME type.

400

Missing documentId path parameter.

401

No valid session or API key was supplied.

403

Authenticated user lacks document:read permission.

404

Document not found, document has no file_id, or file metadata/storage record was not found.

500

Unexpected internal failure while downloading the document.

GET /api/documents/{documentId}/download

cURL

curl -X GET "https://algapsa.com/api/documents/{documentId}/download" \
  -H "X-API-Key: $ALGA_API_KEY"

TypeScript

const response = await fetch("https://algapsa.com/api/documents/{documentId}/download", {
  method: "GET",
  headers: {
    "X-API-Key": "$ALGA_API_KEY",
  }
});
const data = await response.json();

using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Get, "https://algapsa.com/api/documents/{documentId}/download");
request.Headers.TryAddWithoutValidation("X-API-Key", "$ALGA_API_KEY");
var response = await client.SendAsync(request);
var body = await response.Content.ReadAsStringAsync();