Fixitfy
Home

API

Programmatic uploads with a generated key. Multipart POST in, JSON out.

1. Get a key

Sign in at /login, then visit /dashboard/api-keys and click Generate key. The token is shown once — copy it immediately and store it in your CI / scripts. We keep only a SHA-256 hash on our side, so a lost token can only be revoked, not recovered.

Tokens look like fxf_ followed by 64 hex characters. Use them in an Authorization header with the Bearer scheme.

2. Endpoint

POST https://upload.fixitfy.com.tr/api/v1/upload

  • Content type: multipart/form-data
  • Form field: file (the image bytes — PNG, JPG, GIF, WebP, or AVIF up to 20 MB)
  • Header: Authorization: Bearer fxf_xxxxxxxxxxxxxxxxxxxxxxxx…

3. cURL example

curl -X POST https://upload.fixitfy.com.tr/api/v1/upload \
  -H "Authorization: Bearer fxf_YOUR_KEY_HERE" \
  -F "file=@/path/to/image.png"

4. Success response

HTTP/1.1 200 OK
Content-Type: application/json

{
  "ok": true,
  "filename": "FIXITFY-aB3xZ7nQrL9p.png",
  "url": "https://upload.fixitfy.com.tr/images/FIXITFY-aB3xZ7nQrL9p.png",
  "delete_url": null,
  "size": 184237,
  "mime": "image/png",
  "width": 1920,
  "height": 1080,
  "hash_sha256": "9b998a17f968480982526464f04575fc..."
}

url is the direct image link — embed it anywhere a regular image URL works.

5. Error response

HTTP/1.1 415 Unsupported Media Type
Content-Type: application/json

{
  "ok": false,
  "code": "nsfw_rejected",
  "error": "Explicit content detected. This image cannot be hosted."
}

Codes

  • unauthorized (401) — missing or malformed Authorization header
  • banned (403) — owner of the key is banned
  • missing_file, empty_file, bad_request (400)
  • too_large (413) — over 20 MB
  • unsupported_type (415) — not a valid PNG/JPG/GIF/WebP/AVIF
  • nsfw_rejected (415) — automated NSFW review blocked the upload
  • processing_failed (415) — image is corrupt or sharp couldn't decode it
  • rate_limit (429) — 30 uploads per minute per key
  • rate_limit_day (429) — 2000 uploads per day per key
  • storage_failed, db_failed (500) — server error, retry with exponential backoff

6. Dedupe

Every upload's content is hashed (SHA-256). If you upload the exact same bytes twice, the second request returns the existing URL instead of writing a duplicate file. The hash is included in every success response.

7. Limits

  • Max file size: 20 MB
  • Per-key rate limit: 30/min, 2000/day
  • Total active keys per user: 10
  • Allowed formats: PNG, JPG (incl. JPEG), GIF, WebP, AVIF. EXIF metadata is stripped on upload.

8. Quick libraries

Node.js (fetch)

import { readFile } from "node:fs/promises";

const file = await readFile("./screenshot.png");
const fd = new FormData();
fd.set("file", new Blob([file], { type: "image/png" }), "screenshot.png");

const res = await fetch("https://upload.fixitfy.com.tr/api/v1/upload", {
  method: "POST",
  headers: { Authorization: "Bearer " + process.env.FIXITFY_KEY },
  body: fd,
});
const data = await res.json();
console.log(data.url);

Python (requests)

import os, requests

with open("screenshot.png", "rb") as f:
    r = requests.post(
        "https://upload.fixitfy.com.tr/api/v1/upload",
        headers={"Authorization": "Bearer " + os.environ["FIXITFY_KEY"]},
        files={"file": f},
    )

print(r.json()["url"])

9. Revoking a key

Visit /dashboard/api-keys and click Revoke next to any key. Revocation is instant — any in-flight request using that key returns 401 immediately.

If you suspect a key has been leaked, revoke it first, then generate a new one. Audit log entries (api_key.created / api_key.revoked) are visible to admins for incident review.