# /systems/{id}/backups/{backup_id}/download - Issue a short-lived download URL

**GET /systems/{id}/backups/{backup_id}/download**

Returns a short-lived presigned S3 URL that the user's browser
uses to stream the backup object directly from storage. The API
never proxies the object body itself.

The backend does not perform a redirect because the frontend
sends its JWT on the initial request — browsers would drop the
`Authorization` header when following a 3xx redirect, so the
frontend receives the URL in the JSON response and navigates to
it explicitly.

The presigned URL's lifetime is controlled by the
`BACKUP_PRESIGN_TTL` environment variable (default 5 minutes).

Access is gated by the same RBAC rules as `GET /systems/{id}`.



## Servers
- Backend API server (port 8080): https://api.your-domain.com/api (Backend API server (port 8080))
- Collect API server (port 8081): https://collect.your-domain.com/api (Collect API server (port 8081))


## Authentication methods
- Bearer auth


## Parameters

### Path parameters
- **id** (string)
  System ID
- **backup_id** (string)
  Backup object ID (UUIDv7 + extension, e.g. "01934f...tar.gz")



## Responses
### 200
Download URL issued

#### Body: application/json (object)
- **code** (integer)

- **message** (string)

- **data** (object)


### 401
Unauthorized - invalid or missing token

#### Body: application/json (object)
- **code** (integer)

- **message** (string)

- **data** (object | null)


### 403
Forbidden - insufficient permissions

#### Body: application/json (object)
- **code** (integer)

- **message** (string)

- **data** (object | null)


### 404
Resource not found

#### Body: application/json (object)
- **code** (integer)
  HTTP error code
- **message** (string)
  Error message
- **data** (object)


### 502
Backup storage unreachable or returned an error

### 503
Backup storage is not configured


[Powered by Bump.sh](https://bump.sh)