Streams a stored file for inline browser viewing, such as images, videos, PDFs, and SVGs. Tenant logo files are public. Other files require either a valid Auth.js session cookie or an x-api-key header, then document-level authorization is checked using RBAC, relationship rules, bundle narrowing, and client visibility rules. Video files support HTTP Range requests and may return 206 Partial Content.
Path parameters
fileIdstring <uuid>Required
File UUID from external_files.file_id identifying the stored file to serve.
Header parameters
rangestringOptional
HTTP Range header for partial video responses, for example bytes=0-1048575. Only honored for video/* files.
x-api-keystringOptional
Optional API key fallback for non-browser clients. Used only when no valid session cookie is present.
Response codes
200
Full file stream for inline viewing.
206
Partial file stream for a valid video Range request.
400
Missing fileId or unsupported file type for inline viewing.
401
No valid session or API key was supplied.
403
Authenticated user is not authorized to view the file.
404
File was not found in metadata or storage.
416
Range header is invalid or outside the file size.
500
Unexpected internal error while authorizing or streaming the file.