Private file access
How DALP restricts KYC, organisation, and admin files to authenticated Console sessions and validates each request against the caller's object-key scope.
Every file uploaded during KYC, organisation onboarding, or admin review is stored under a scoped object key and never exposed as a public URL. The Platform API returns an error response before reading storage when a request arrives without a valid session, uses an out-of-scope key, or references a missing object.
Read this page when you need to understand why a private file link works for one user and fails for another. For operator steps, see Open private files.
Do not build private file URLs by guessing object keys. Use the workflow that returns or records the file reference, then request the returned URL from your authenticated Console session. The URL is tied to Console authentication and object-key scope. Sharing the path with another user does not grant access unless that user also holds the required session and scope. A denied request returns an error response instead of exposing the stored object.
Access model
Object-key scopes
DALP allows private reads only for recognised object-key scopes. Each scope ties the readable path to a specific user identity or organisation, so access to one scope does not grant reads on objects belonging to another. Use the table below to identify which scope applies to your request.
| Object-key scope | Who can read it | Typical use | Notes |
|---|---|---|---|
kyc/{userId}/... | The same user, or an admin user | KYC evidence and KYC profile document envelopes | The {userId} segment must match the signed-in user's DALP user ID. |
org/{orgId}/... | A member of the active organisation, or an admin user | Organisation-scoped documents and files | The {orgId} segment must match the active organisation in session. |
admin/... | Admin users only | Administrative files | Non-admin users receive 403 Forbidden. |
| Any other first segment | No one by default | Not a supported private file scope | DALP denies unknown scopes instead of falling back to public access. |
Object keys are normalised before access checks. If your key contains . or .. path segments, the Platform API rejects the request to prevent traversal outside the allowed object-key namespace.
Request behaviour
The private file route supports GET and HEAD. HEAD returns metadata headers without the file body. GET returns the file body and metadata headers.
HEAD /dalp/private/kyc/user_123/version_456/document_789/envelope.jsonWhen access is allowed and the object exists, DALP returns metadata headers such as:
200 OK
Content-Type: application/json
Content-Length: 2480
ETag: "9b2cf535f27731c974343645a3985328"
Last-Modified: Tue, 26 May 2026 10:30:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: 0A GET request to the same URL returns the object body with the same cache-control posture. Treat the URL as an authenticated Console route, not as a public object-storage URL. Do not use it outside a signed-in Console session.
Status codes
| Status | Meaning | What to do |
|---|---|---|
200 | DALP found the object and the signed-in user can read it. | Use the returned file body or metadata headers. |
400 | The private file path is incomplete. | Request a URL returned by DALP instead of constructing the path manually. |
401 | No signed-in DALP session is available. | Sign in again, then retry the URL from the Console context. |
403 | The object key is invalid, unknown, or outside the user's scope. | Stop and request the file through the owning workflow or an authorised user. |
404 | The object-storage provider has no object at the allowed key. | Recheck the upload or document record before retrying. |
503 | DALP cannot reach object storage. | Retry after the storage service recovers. |
500 | DALP hit an unexpected storage read failure. | Retry only after checking operational status or support guidance. |
Security notes
Private file access is separate from public branding and asset-document URLs. The Platform API requires an authenticated session and enforces object-key scope before reading storage.
The Platform API sets Cache-Control: no-cache, no-store, must-revalidate, Pragma: no-cache, and Expires: 0 on private file responses. Do not persist private file contents in shared caches. Store downloaded files only where your organisation's retention and access policy allows it.
A successful private file read proves only that the signed-in user can read the stored object at that key. It does not prove that a participant is approved, that an asset transfer is compliant, or that a document meets a regulator's evidence requirements.
Related pages
- KYC document uploads for the upload and confirmation workflow that stores KYC evidence.
- Token documents for asset document metadata and download behaviour.
- Request headers for API context headers used by integration clients.
- Error handling for production retry and recovery patterns.
KYC reviewer version action API
Approve, reject, or request changes on a KYC profile version under review through the DALP Platform API, SDK, and CLI.
Exchange rates
Read current and historical fiat currency pair rates, discover supported currencies, and understand how DALP selects one feed per pair and resolves inverse pairs.