/systems/{id}/backups/{backup_id}/download - Issue a short-lived download URL

GET /systems/{id}/backups/{backup_id}/download
Bearer auth

Returns a short-lived presigned S3 URL that the user's browser uses to stream the backup object directly from storage. The API never proxies the object body itself.

The backend does not perform a redirect because the frontend sends its JWT on the initial request — browsers would drop the Authorization header when following a 3xx redirect, so the frontend receives the URL in the JSON response and navigates to it explicitly.

The presigned URL's lifetime is controlled by the BACKUP_PRESIGN_TTL environment variable (default 5 minutes).

Access is gated by the same RBAC rules as GET /systems/{id}.

Path parameters

  • id string Required

    System ID

  • backup_id string Required

    Backup object ID (UUIDv7 + extension, e.g. "01934f...tar.gz")

Responses

  • 200 application/json

    Download URL issued

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object
      Hide data attributes Show data attributes object
      • download_url string(uri)

        Short-lived presigned S3 URL

      • expires_in_seconds integer

        How long the URL remains valid
  • 401 application/json

    Unauthorized - invalid or missing token

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
  • 403 application/json

    Forbidden - insufficient permissions

    Hide response attributes Show response attributes object
    • code integer
    • message string
    • data object | null
  • 404 application/json

    Resource not found

    Hide response attributes Show response attributes object
    • code integer

      HTTP error code

    • message string

      Error message

    • data object
      Hide data attributes Show data attributes object
      • type string

        Type of error

        Values are validation_error or external_api_error.

      • errors array[object]
        Hide errors attributes Show errors attributes object
        • key string

          Field name that failed validation

        • message string

          Error code or message

        • value string

          Value that failed validation

      • details

        Additional error details
  • 502

    Backup storage unreachable or returned an error

  • 503

    Backup storage is not configured

GET /systems/{id}/backups/{backup_id}/download 
curl \
 --request GET 'https://api.your-domain.com/api/systems/sys_123456789/backups/01934fab-bc33-7890-a1b2-c3d4e5f6a7b8.tar.gz/download' \
 --header "Authorization: Bearer $ACCESS_TOKEN"
Response examples (200) 
{
  "code": 200,
  "message": "download URL issued",
  "data": {
    "download_url": "https://example.com",
    "expires_in_seconds": 300
  }
}
Response examples (401) 
{
  "code": 401,
  "message": "invalid token",
  "data": {}
}
Response examples (403) 
{
  "code": 403,
  "message": "insufficient permissions",
  "data": {}
}
Response examples (404) 
{
  "code": 400,
  "message": "validation failed",
  "data": {
    "type": "validation_error",
    "errors": [
      {
        "key": "username",
        "message": "required",
        "value": "string"
      }
    ]
  }
}