Upload Links and Access Controls

This page describes how Foldly upload links work, what access controls are available, and how external user identity is verified. It is written for workspace owners, security reviewers, and anyone evaluating Foldly for document collection workflows.

For general security and data handling information, see Security & Data Handling.

Overview

Foldly allows workspace owners to create shareable upload links that point to specific folders in their workspace. External users visit these links in a browser to upload files without creating a Foldly account. Each upload link has its own access type, permission list, and configurable protections.

Upload links use a path-based URL structure that reflects the folder hierarchy:

foldly.com/{username}/{path/to/folder}

For example: foldly.com/johndoe/clients/acme/tax-docs

Links can be created, configured, paused, and deleted from the workspace owner's dashboard.

Link Types

Each upload link is configured as either public or dedicated. The mode is set by the workspace owner when creating or editing a link.

Public links allow any external user to upload files. The user provides their email address before uploading. No prior permission entry is required. After a successful upload, the uploader's email is automatically recorded in the link's permission list for tracking purposes. This is idempotent: if the email already exists, no duplicate entry is created.

Dedicated links restrict upload access to specific email addresses. Only users whose email is listed in the link's permission table can upload. If a user's email is not on the list, the upload is denied. The workspace owner manages the permission list from the dashboard.

Both link types require the uploader to provide a valid email address before proceeding.

Roles

Foldly uses three roles to control what external users can see and do on an upload link.

Role

Description

How Assigned

Owner

The workspace creator. Full control over files, folders, links, settings, and integrations from the dashboard. If the owner's email is entered on an upload page, they are redirected to the dashboard rather than shown the upload interface.

Automatic (based on workspace ownership).

Editor

An external user with elevated access to a specific link. Editors can view all files and folders associated with the link across all uploaders and sessions. Can delete files uploaded by others. Requires email verification via a one-time code before access is granted.

Assigned by the workspace owner through the dashboard permission management interface.

Uploader

An external user who uploads files through the link. Uploaders can only see files and folders created during their current session. Cannot see files uploaded by other users.

On public links, created automatically after a successful upload. On dedicated links, added by the workspace owner.

The key difference between editors and uploaders is visibility. Editors can see all content associated with the link. Uploaders can only see content they created during their current visit. This distinction is why editors require email verification: elevated visibility requires proof of email ownership.

Editor Verification

Because editors can view and manage all content on a link, Foldly requires editors to verify their email address through a one-time passcode (OTP) before granting editor access.

How It Works

The user enters their email address on the upload page.
The system detects that the email has an editor permission for this link.
A 6-digit verification code is generated and sent to the email address.
The user enters the code on the upload page.
The code is verified server-side. It is single-use (consumed on successful verification) and expires after 5 minutes.
On successful verification, a server-side session is created for the editor.

Session Handling

After successful verification, a server-side session is created and stored in Redis with a 24-hour expiration. The browser receives an opaque session cookie that contains only a cryptographically random token (48 bytes). The cookie contains no email address, role, or timestamp information.

On subsequent visits within the 24-hour session window, the server validates the token against the server-side record. If valid, OTP verification is skipped for that visit. After 24 hours, the session expires automatically (via Redis TTL and cookie expiry), and re-verification is required.

Sessions are scoped to a specific link. An editor session for one link does not grant access to other links. A forged or tampered cookie value will not match any server-side record.

Rate Limiting

OTP send requests are rate-limited to 5 per minute per email address. OTP verification attempts are rate-limited to 20 per minute per email address. These limits protect against brute-force and enumeration attacks.

Owner-Configurable Protections

Workspace owners can configure the following settings on each upload link from the dashboard. All settings are per-link and optional unless noted otherwise.

Setting

Description

Public or dedicated access

Controls whether the link is open to anyone or restricted to listed email addresses.

Active/inactive state

Links can be paused (set to inactive). Inactive links reject new uploads. Existing files are not affected.

Password protection

An optional access code that uploaders must enter before they can proceed. Passwords are encrypted at rest using AES-256-GCM. The owner can view and share the password from the dashboard. Password verification is rate-limited.

Expiration date

An optional date after which the link stops accepting uploads. Existing files are not affected.

Required uploader name

When enabled, uploaders must provide their name in addition to their email address.

Custom welcome message

A message displayed to uploaders on the upload page (up to 500 characters).

Upload notifications

When enabled, the workspace owner receives an email notification when files are uploaded to the link.

Branding

Links can display a custom logo, accent color, and background color on the upload page.

File size enforcement is applied at the workspace level based on the owner's subscription tier. Per-link file type restrictions and per-link file size overrides are not enforced at this time.

Uploader Identity and Permission Handling

Email as Identity

Every upload link requires the external user to enter their email address before uploading. This email is recorded with each uploaded file for provenance tracking.

Permission Records

Permissions are stored per link and per email address (unique constraint). Each permission record includes a role (editor or uploader) and metadata such as verification status and activity timestamps.

For public links: Uploader permission records are created automatically after a successful upload. This operation is idempotent: if a permission already exists for that email and link, it is not duplicated. No invitation email is sent during this automatic permission creation.

For dedicated links: Permissions must be created in advance by the workspace owner. Only email addresses with an existing permission record can upload.

Invitation Emails

When the workspace owner adds a permission entry with invitation details (sender name, link URL, optional custom message), an invitation email is sent to the added email address. The invitation includes a link with the recipient's email pre-filled for convenience. Invitation emails are subject to a one-hour cooldown: if an invitation was sent to the same email within the past hour, it is not resent.

Permission Management

Workspace owners can add, update, or remove permissions from the dashboard at any time. Permission changes take effect immediately. Removing a permission revokes that email's access to the link.

Operational Safeguards

Rate limiting. All public-facing upload operations are rate-limited using distributed Redis-based rate limiting (Upstash Redis). This includes permission checks, role detection, password verification, OTP requests, OTP verification, upload rule validation, and file upload initiation. Rate limits use a sliding window algorithm. Clients that exceed limits are temporarily blocked.

Storage quota enforcement. Before an upload is accepted, the system checks the workspace owner's current storage usage against their subscription tier quota. If the projected usage (current storage plus the new upload) would exceed the quota, the upload is rejected with a user-facing message. This applies to both public and dedicated links.

Upload size limits. Individual file sizes are validated against workspace-level limits determined by the owner's subscription tier. Files that exceed the limit are rejected before the upload begins.

Link eligibility checks. Before each upload, the system verifies server-side that the link is active, has not expired, and (if password-protected) that the correct password has been provided.

Search engine exclusion. Upload pages are excluded from search engine indexing through noindex metadata, sitemap exclusion, and robots.txt restrictions. See Security & Data Handling for details.

Input sanitization. Email addresses, file names, folder names, and URL slugs are sanitized server-side to prevent injection and path traversal attacks.

What This Page Does Not Cover

This page describes the current behavior of Foldly's upload link and access control system as implemented in the production codebase. The following topics are intentionally not addressed here:

Compliance certifications. Foldly does not currently hold or claim SOC 2, ISO 27001, HIPAA, or similar certifications.
Audit logging. Foldly records uploader email and upload timestamps for provenance, but does not currently provide a formal audit log export for access events.
Team or organization roles. Foldly does not currently support multi-user teams, organization-level roles, or delegated administration within a workspace.
IP-based or time-based access control. Foldly does not currently support restricting uploads by IP address, network range, or time window.
End-to-end encryption. Foldly encrypts sensitive fields at rest (passwords, OAuth tokens) but does not implement end-to-end encryption for uploaded files.

Trust Center: Overview of all published trust documentation
Security & Data Handling: Storage architecture, encryption, malware scanning, and security controls
Google Data Access and Gmail Import: Gmail integration, OAuth handling, and imported data lifecycle
Subprocessors: Full list of third-party service providers and data categories
Privacy Policy: Full privacy policy
Terms of Service: Terms of service

Questions

For questions about Foldly's upload links or access controls, contact [email protected].

Last updated: March 29, 2026

PreviousSecurity & Data Handling NextGoogle Data Access and Gmail Import

Last updated 45 minutes ago

Was this helpful?

Good night

hashtagOverview

hashtagLink Types

hashtagRoles

hashtagEditor Verification

hashtagHow It Works

hashtagSession Handling

hashtagRate Limiting

hashtagOwner-Configurable Protections

hashtagUploader Identity and Permission Handling

hashtagEmail as Identity

hashtagPermission Records

hashtagInvitation Emails

hashtagPermission Management

hashtagOperational Safeguards

hashtagWhat This Page Does Not Cover

hashtagRelated Pages

hashtagQuestions