ONE.GY

OVERVIEW

Upload, download, manage, and delete files programmatically over HTTPS. All endpoints use the base URL shown below.

Guest uploads are temporary and expire automatically. Authenticated users can upload to their cloud drive with optional permanent retention.

BASE URL

https://one.gy

MAX UPLOAD SIZE

5 GB

GUEST UPLOAD LIMIT

1 GB

DEFAULT EXPIRY

1 DAY

ENCRYPTION

FERNET (AT REST)

UPLOAD

POST

/upload

Upload one or more files via multipart form data. Returns a management URL and a download URL. Multiple files are automatically bundled into a ZIP archive server-side.

Guest uploads are temporary and expire after 1 day by default. Authenticated users can upload to their cloud drive by setting is_temp=false for permanent retention.

EXAMPLES

▶ CURL

# Upload a single file
curl -X POST https://one.gy/upload \
  -F "files=@photo.jpg"

# Upload multiple files (bundled into ZIP)
curl -X POST https://one.gy/upload \
  -F "files=@file1.txt" \
  -F "files=@file2.png"

# Upload with a short URL
curl -X POST https://one.gy/upload \
  -F "files=@photo.jpg" \
  -F "short_url=true"

▶ WGET

# wget requires a manually constructed multipart body
B="----Boundary$(date +%s)"; F="photo.jpg"; T=$(mktemp)
printf -- "--%s\r\nContent-Disposition: form-data; name=\"files\"; filename=\"%s\"\r\n\r\n" "$B" "$F" > "$T"
cat "$F" >> "$T"; printf "\r\n--%s--\r\n" "$B" >> "$T"
wget --method=POST --body-file="$T" \
  --header="Content-Type: multipart/form-data; boundary=$B" \
  -O response.json "https://one.gy/upload"
rm "$T"

▶ PYTHON

import requests

# Upload a file
response = requests.post(
    "https://one.gy/upload",
    files=[
        ("files", ("report.pdf", open("report.pdf", "rb"))),
        ("files", ("data.csv", open("data.csv", "rb"))),
    ],
    verify=False,  # Only if using self-signed certificate
)
result = response.json()
print(f"Download: {result['download_url']}")
print(f"Manage:   https://one.gy{result['redirect']}")

PARAMETERS

NAME TYPE DESCRIPTION

files file One or more files (multipart/form-data). Use file for single E2E uploads.

is_temp string "true" (default) for temporary upload, "false" for cloud drive (requires login)

folder_id integer Destination folder ID for cloud drive uploads (requires login)

short_url string "true" to generate a short 6-character URL code accessible at /s/{code}

e2e string "true" for client-side encrypted uploads (see E2E section)

e2e_salt string Base64 or comma-separated decimal bytes of 16-byte salt (required if e2e=true)

e2e_iv string Base64 or comma-separated decimal bytes of 12-byte IV (required if e2e=true)

RESPONSE

▶ 200 OK

{
  "redirect": "/manage/{management_token}",
  "download_url": "https://one.gy/f/{file_id}/{filename}",
  "management_token": "{management_token}"
}

DOWNLOAD

GET

/f/{file_id}/{filename}

Download a file by its UUID. Including the filename in the URL ensures wget and curl -O save with the correct name. Password-protected files require the pw query parameter.

Files uploaded with short_url=true can also be downloaded via /s/{short_code}, which redirects to the full URL (or serves directly for CLI clients).

EXAMPLES

▶ CURL

# Public file
curl -O "https://one.gy/f/{file_id}/{filename}"

# Password-protected file
curl -O "https://one.gy/f/{file_id}/{filename}?pw=yourpassword"

▶ WGET

# Public file
wget "https://one.gy/f/{file_id}/{filename}"

# Password-protected file
wget "https://one.gy/f/{file_id}/{filename}?pw=yourpassword"

▶ PYTHON

import requests

# Public file
response = requests.get(
    "https://one.gy/f/{file_id}/{filename}",
    verify=False,
)
with open("photo.jpg", "wb") as f:
    f.write(response.content)

# Password-protected file
response = requests.get(
    "https://one.gy/f/{file_id}/{filename}",
    params={"pw": "yourpassword"},
    verify=False,
)

PARAMETERS

NAME TYPE DESCRIPTION

file_id path UUID of the file

filename path Original filename (optional, ensures correct save name)

pw query Password for protected files

RESPONSE

▶ 200 OK

Binary file data (streamed)

MANAGE FILE

GET

/manage/{token}

View file management page. The management token is returned in the upload response under redirect. Requires session ownership.

POST

/manage/{token}

Update file settings programmatically. Set the X-Requested-With: XMLHttpRequest header to receive a JSON response instead of a redirect.

EXAMPLES

▶ CURL - UPDATE SETTINGS

curl -X POST https://one.gy/manage/{token} \
  -H "X-Requested-With: XMLHttpRequest" \
  -d "public=on" \
  -d "expires=7d" \
  -d "max_downloads=100"

PARAMETERS

NAME TYPE DESCRIPTION

public string "on" to make file publicly accessible, "off" to make private

expires string 30m, 6h, 1d, 3d, 7d, or never. never requires a logged-in user with a cloud drive file; temp/guest uploads are capped at 7d.

max_downloads integer Max total downloads before file is auto-deleted. Set to 0 to remove the limit.

RESPONSE

▶ 200 OK (AJAX)

{
  "success": true,
  "has_password": false
}

DELETE FILE

POST

/delete/{token}

Permanently delete a file from the server. Requires the management token and session ownership. The token is the last segment of the management URL returned during upload.

EXAMPLES

▶ CURL

curl -X POST https://one.gy/delete/{token} \
  -H "X-Requested-With: XMLHttpRequest"

RESPONSE

▶ 200 OK (AJAX)

{"success": true}

E2E ENCRYPTION

End-to-end encrypted files are encrypted on the client before upload. The server never sees the plaintext data or the encryption key.

BROWSER & CLI (MODERN): The browser and CLI tool use a MEGA-style zero-knowledge system with per-file AES-256-GCM keys, chunked 64MB encryption, and PBKDF2 key derivation with 600,000 iterations. This is handled automatically and is not directly accessible via the API examples below.

API (LEGACY SIMPLE): The examples below demonstrate a simpler single-file encryption scheme using AES-256-GCM with PBKDF2 key derivation (600,000 iterations). You derive a key from a passphrase using PBKDF2 with a random salt, encrypt the file with AES-256-GCM using a random IV, then upload the ciphertext along with the salt and IV as form parameters.

UPLOAD WITH E2E ENCRYPTION

POST

/upload

▶ PYTHON - E2E UPLOAD

import os
import base64
import requests
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes

# Configuration
PASSPHRASE = "my-secret-passphrase"
FILE_PATH = "secret-document.pdf"
DOMAIN = "https://one.gy"

# Generate random salt and IV
salt = os.urandom(16)
iv = os.urandom(12)

# Derive key from passphrase using PBKDF2
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    iterations=600000,
)
key = kdf.derive(PASSPHRASE.encode("utf-8"))

# Encrypt file with AES-256-GCM
with open(FILE_PATH, "rb") as f:
    plaintext = f.read()

aesgcm = AESGCM(key)
ciphertext = aesgcm.encrypt(iv, plaintext, None)

# Upload encrypted data with salt and IV
response = requests.post(
    f"{DOMAIN}/upload",
    files={"file": ("secret-document.pdf", ciphertext)},
    data={
        "e2e": "true",
        "e2e_salt": base64.b64encode(salt).decode(),
        "e2e_iv": base64.b64encode(iv).decode(),
    },
    verify=False,
)
result = response.json()
print(f"Download: {result['download_url']}")
print(f"Manage:   {DOMAIN}{result['redirect']}")

DOWNLOAD AND DECRYPT E2E FILE

GET

/f/{file_id}/encrypted

Download raw encrypted data for E2E files. The response includes X-E2E-Salt and X-E2E-IV headers containing comma-separated decimal byte values of the salt and IV needed for decryption.

▶ PYTHON - E2E DOWNLOAD AND DECRYPT

import base64
import requests
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.hazmat.primitives import hashes

# Configuration
PASSPHRASE = "my-secret-passphrase"
FILE_ID = "your-file-uuid-here"
DOMAIN = "https://one.gy"
OUTPUT_FILE = "decrypted-document.pdf"

# Download encrypted data
response = requests.get(
    f"{DOMAIN}/f/{FILE_ID}/encrypted",
    verify=False,
)

# Extract salt and IV from response headers (comma-separated decimal byte values)
salt = bytes([int(x) for x in response.headers["X-E2E-Salt"].split(",")])
iv = bytes([int(x) for x in response.headers["X-E2E-IV"].split(",")])
ciphertext = response.content

# Derive the same key from the passphrase
kdf = PBKDF2HMAC(
    algorithm=hashes.SHA256(),
    length=32,
    salt=salt,
    iterations=600000,
)
key = kdf.derive(PASSPHRASE.encode("utf-8"))

# Decrypt with AES-256-GCM
aesgcm = AESGCM(key)
plaintext = aesgcm.decrypt(iv, ciphertext, None)

with open(OUTPUT_FILE, "wb") as f:
    f.write(plaintext)
print(f"Decrypted file saved to {OUTPUT_FILE}")

E2E PARAMETERS

NAME TYPE DESCRIPTION

e2e string "true" to mark upload as end-to-end encrypted

e2e_salt string Comma-separated decimal byte values of 16-byte salt used for PBKDF2 key derivation (e.g. "142,55,201,44,..."). Base64-encoded strings are also accepted.

e2e_iv string Comma-separated decimal byte values of 12-byte IV used for AES-256-GCM encryption (e.g. "10,233,78,..."). Base64-encoded strings are also accepted.

RESPONSE HEADERS (ENCRYPTED DOWNLOAD)

HEADER TYPE DESCRIPTION

X-E2E-Salt string Comma-separated decimal byte values of salt for PBKDF2 key derivation

X-E2E-IV string Comma-separated decimal byte values of IV for AES-256-GCM decryption

AUTHENTICATION

All authenticated API endpoints require an API key sent via the Authorization header using the Bearer scheme. Generate API keys from your account page.

Each API key has individual permissions controlling which actions it can perform. You can also restrict keys to specific IP addresses. Users can create up to 10 API keys, each with their own permissions and IP whitelist.

AUTHENTICATION HEADER

▶ FORMAT

Authorization: Bearer YOUR_API_KEY

PERMISSIONS

Each API key must be granted specific permissions. All permissions are disabled by default when creating a new key. Available permissions:

PERMISSION ENDPOINTS DESCRIPTION

read GET /apiv1/files, /search, /trash, /files/{id}/properties List files, folders, search, view trash, get file properties

download GET /apiv1/download/{id} Download files

write POST /apiv1/upload, /folders Upload files, create folders

delete DELETE /apiv1/files/{id}, /folders/{id}, /trash/{id}, /trash/empty Trash and permanently delete files/folders, empty trash

restore POST /apiv1/trash/{id}/restore Restore files from trash

manage_keys GET/POST/PATCH/DELETE /apiv1/keys List, create, update, and revoke API keys via the API

IP WHITELIST

Each API key can optionally be restricted to a list of up to 10 IPv4 addresses or CIDR subnets (minimum /24). If no IPs are configured, the key works from any IP address.

EXAMPLE

▶ CURL

# Test your API key
curl https://one.gy/apiv1/files \
  -H "Authorization: Bearer YOUR_API_KEY"

ERROR RESPONSES

CODE REASON DESCRIPTION

401 Missing/Invalid Key No Authorization header, invalid format, or revoked/unknown key

403 API Disabled / No Permission / IP Blocked API access disabled, key lacks required permission, or IP not in whitelist

KEY MANAGEMENT (API)

POST

/apiv1/keys

Create a new API key with specific permissions and optional IP whitelist. Requires manage_keys permission. Maximum 10 active keys per user.

REQUEST BODY

▶ JSON

{
  "label": "MY DEPLOYMENT SCRIPT",
  "permissions": {
    "read": true,
    "download": true,
    "write": true,
    "delete": false,
    "restore": false,
    "manage_keys": false
  },
  "allowed_ips": ["203.0.113.1", "10.0.0.0/24"]
}

EXAMPLE

▶ CURL

# Create key with read + write permissions, restricted to one IP
curl -X POST https://one.gy/apiv1/keys \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"label":"CI Server","permissions":{"read":true,"write":true},"allowed_ips":["203.0.113.50"]}'

PATCH

/apiv1/keys/{key_id}

Update permissions, IP whitelist, and/or label on an existing API key. Only provided fields are changed.

EXAMPLE

▶ CURL

# Add delete permission and restrict to subnet
curl -X PATCH https://one.gy/apiv1/keys/KEY_ID \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"permissions":{"delete":true},"allowed_ips":["10.0.0.0/24"]}'

# Remove all IP restrictions (allow any IP)
curl -X PATCH https://one.gy/apiv1/keys/KEY_ID \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"allowed_ips":[]}'

RESPONSE

▶ 200 OK

{
  "id": "abc-123",
  "label": "CI Server",
  "permissions": {
    "read": true, "download": false, "write": true,
    "delete": true, "restore": false, "manage_keys": false
  },
  "allowed_ips": ["10.0.0.0/24"]
}

UPLOAD (API)

POST

/apiv1/upload

Upload a file to your cloud drive. Files are encrypted server-side with Fernet (E2E encryption is not supported via API). Uploaded files have no expiration and are private by default.

EXAMPLES

▶ CURL

# Upload a file
curl -X POST https://one.gy/apiv1/upload \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "file=@photo.jpg"

# Upload to a specific folder
curl -X POST https://one.gy/apiv1/upload \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "file=@report.pdf" \
  -F "folder_id=42"

# Upload multiple files (bundled into ZIP)
curl -X POST https://one.gy/apiv1/upload \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "files=@file1.txt" \
  -F "files=@file2.png"

▶ WGET

# wget requires a manually constructed multipart body
B="----Boundary$(date +%s)"; F="photo.jpg"; T=$(mktemp)
printf -- "--%s\r\nContent-Disposition: form-data; name=\"file\"; filename=\"%s\"\r\n\r\n" "$B" "$F" > "$T"
cat "$F" >> "$T"; printf "\r\n--%s--\r\n" "$B" >> "$T"
wget --method=POST --body-file="$T" \
  --header="Content-Type: multipart/form-data; boundary=$B" \
  --header="Authorization: Bearer YOUR_API_KEY" \
  -O response.json "https://one.gy/apiv1/upload"
rm "$T"

▶ PYTHON

import requests

response = requests.post(
    "https://one.gy/apiv1/upload",
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    files={"file": ("report.pdf", open("report.pdf", "rb"))},
    verify=False,
)
result = response.json()
print(f"File ID:  {result['file_id']}")
print(f"Download: {result['download_url']}")

PARAMETERS

NAME TYPE DESCRIPTION

file / files file One or more files (multipart/form-data). Use file for single, files for multiple.

folder_id integer Destination folder ID (optional, defaults to root)

RESPONSE

▶ 201 CREATED

{
  "file_id": "a1b2c3d4-...",
  "name": "photo.jpg",
  "size": 1048576,
  "download_url": "https://one.gy/f/{file_id}/{filename}",
  "management_token": "e5f6g7h8-..."
}

DOWNLOAD (API)

GET

/apiv1/download/{file_id}

Download a file from your cloud drive. The file is decrypted server-side and streamed. Only non-E2E files are supported. Returns binary file data.

EXAMPLES

▶ CURL

curl -o photo.jpg \
  -H "Authorization: Bearer YOUR_API_KEY" \
  "https://one.gy/apiv1/download/{file_id}"

▶ WGET

wget --header="Authorization: Bearer YOUR_API_KEY" \
  -O photo.jpg \
  "https://one.gy/apiv1/download/{file_id}"

▶ PYTHON

import requests

response = requests.get(
    "https://one.gy/apiv1/download/{file_id}",
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    verify=False,
)
with open("photo.jpg", "wb") as f:
    f.write(response.content)

RESPONSE

▶ 200 OK

Binary file data (streamed, with Content-Disposition and Content-Length headers)

LIST FILES (API)

GET

/apiv1/files

GET

/apiv1/files/{folder_id}

List files and subfolders in a directory. Omit folder_id for the root directory.

EXAMPLES

▶ CURL

# List root directory
curl https://one.gy/apiv1/files \
  -H "Authorization: Bearer YOUR_API_KEY"

# List a specific folder
curl https://one.gy/apiv1/files/42 \
  -H "Authorization: Bearer YOUR_API_KEY"

▶ PYTHON

import requests

response = requests.get(
    "https://one.gy/apiv1/files",
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    verify=False,
)
data = response.json()
for folder in data["folders"]:
    print(f"[DIR] {folder['name']} (id={folder['id']})")
for file in data["files"]:
    print(f"      {file['name']} ({file['size_formatted']})")

RESPONSE

▶ 200 OK

{
  "folder_id": null,
  "folders": [
    {"id": 42, "name": "Documents", "is_e2e": false, "is_public": false}
  ],
  "files": [
    {
      "id": "a1b2c3d4-...",
      "name": "photo.jpg",
      "size": 1048576,
      "size_formatted": "1.00 MB",
      "is_public": false,
      "download_url": "https://one.gy/f/{file_id}/{filename}",
      "downloads": 3
    }
  ]
}

CREATE FOLDER (API)

POST

/apiv1/folders

Create a new folder. Sends JSON body with the folder name and optional parent folder ID.

EXAMPLES

▶ CURL

# Create in root
curl -X POST https://one.gy/apiv1/folders \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Photos"}'

# Create nested folder
curl -X POST https://one.gy/apiv1/folders \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Vacation", "parent_id": 42}'

▶ PYTHON

import requests

response = requests.post(
    "https://one.gy/apiv1/folders",
    headers={
        "Authorization": "Bearer YOUR_API_KEY",
        "Content-Type": "application/json",
    },
    json={"name": "Photos"},
    verify=False,
)
print(f"Folder ID: {response.json()['id']}")

RESPONSE

▶ 201 CREATED

{"id": 43, "name": "Photos"}

DELETE (API)

DELETE

/apiv1/files/{file_id}

DELETE

/apiv1/folders/{folder_id}

Move a file or folder to trash (soft delete). Trashed items are automatically permanently deleted after 48 hours. Use the trash endpoints to restore or permanently delete sooner.

EXAMPLES

▶ CURL

# Delete a file (moves to trash)
curl -X DELETE https://one.gy/apiv1/files/{file_id} \
  -H "Authorization: Bearer YOUR_API_KEY"

# Delete a folder and all contents (moves to trash)
curl -X DELETE https://one.gy/apiv1/folders/42 \
  -H "Authorization: Bearer YOUR_API_KEY"

▶ PYTHON

import requests

# Delete a file
response = requests.delete(
    "https://one.gy/apiv1/files/{file_id}",
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    verify=False,
)
print(response.json())  # {"success": true}

RESPONSE

▶ 200 OK

{"success": true}

SEARCH (API)

GET

/apiv1/search?q={query}

Search files and folders by name. Returns up to 50 results for each type. Case-insensitive partial matching.

EXAMPLES

▶ CURL

curl "https://one.gy/apiv1/search?q=photo" \
  -H "Authorization: Bearer YOUR_API_KEY"

▶ PYTHON

import requests

response = requests.get(
    "https://one.gy/apiv1/search",
    params={"q": "photo"},
    headers={"Authorization": "Bearer YOUR_API_KEY"},
    verify=False,
)
for f in response.json()["files"]:
    print(f"{f['name']} ({f['size_formatted']})")

RESPONSE

▶ 200 OK

{
  "files": [
    {"id": "...", "name": "photo.jpg", "size": 1048576, "size_formatted": "1.00 MB", "download_url": "..."}
  ],
  "folders": [
    {"id": 42, "name": "Photos", "parent_id": null}
  ]
}

TRASH (API)

GET

/apiv1/trash

POST

/apiv1/trash/{file_id}/restore

DELETE

/apiv1/trash/{file_id}

DELETE

/apiv1/trash/empty

Manage trashed items. List trash contents, restore files, permanently delete individual files, or empty the entire trash. Trashed items are auto-deleted after 48 hours.

EXAMPLES

▶ CURL

# List trash
curl https://one.gy/apiv1/trash \
  -H "Authorization: Bearer YOUR_API_KEY"

# Restore a file from trash
curl -X POST https://one.gy/apiv1/trash/{file_id}/restore \
  -H "Authorization: Bearer YOUR_API_KEY"

# Permanently delete from trash
curl -X DELETE https://one.gy/apiv1/trash/{file_id} \
  -H "Authorization: Bearer YOUR_API_KEY"

# Empty entire trash
curl -X DELETE https://one.gy/apiv1/trash/empty \
  -H "Authorization: Bearer YOUR_API_KEY"

RESPONSE (LIST)

▶ 200 OK

{
  "files": [
    {"id": "...", "name": "old-file.txt", "size": 1024, "remaining_hours": 36.5}
  ],
  "folders": [
    {"id": 10, "name": "Archive", "remaining_hours": 12.3}
  ]
}

ALL ENDPOINTS

Complete reference of all authenticated API endpoints. All require the Authorization: Bearer header and the listed permission.

METHOD ENDPOINT PERMISSION DESCRIPTION

GET /apiv1/keys manage_keys List your active API keys (with permissions & IP whitelist)

POST /apiv1/keys manage_keys Create a new API key (JSON: {"label": "...", "permissions": {...}, "allowed_ips": [...]})

PATCH /apiv1/keys/{key_id} manage_keys Update permissions and/or IP whitelist on an existing key

DELETE /apiv1/keys/{key_id} manage_keys Revoke an API key

POST /apiv1/upload write Upload file(s) to cloud drive

GET /apiv1/download/{file_id} download Download a file (non-E2E only)

GET /apiv1/files read List files in root directory

GET /apiv1/files/{folder_id} read List files in a folder

GET /apiv1/files/{file_id}/properties read Get file details (size, downloads, visibility, etc.)

DELETE /apiv1/files/{file_id} delete Move file to trash

POST /apiv1/folders write Create folder (JSON: {"name": "...", "parent_id": N})

DELETE /apiv1/folders/{folder_id} delete Move folder and contents to trash

GET /apiv1/search?q={query} read Search files and folders by name

GET /apiv1/trash read List trashed items

POST /apiv1/trash/{file_id}/restore restore Restore file from trash

DELETE /apiv1/trash/{file_id} delete Permanently delete from trash

DELETE /apiv1/trash/empty delete Empty entire trash

ERROR CODES

All error responses return an appropriate HTTP status code. JSON endpoints return an error field in the response body.

CODE STATUS DESCRIPTION

400 Bad Request No files provided or invalid request format

401 Unauthorized Login required (e.g. cloud drive upload with is_temp=false)

403 Forbidden Session does not own this file or insufficient permissions

404 Not Found File not found, expired, or invalid token

410 Gone Download limit reached, file has been removed

413 Payload Too Large File exceeds the maximum upload size (5 GB for registered users, 1 GB for guests)

429 Too Many Requests Rate limit exceeded, try again later

507 Insufficient Storage Server disk is full or user storage quota exceeded

EXAMPLE ERROR RESPONSE

▶ JSON ERROR

{"error": "No files"}

RATE LIMITS

API endpoints are rate-limited to prevent abuse. Authenticated users have higher limits than guests. When a rate limit is exceeded, the server returns 429 Too Many Requests.

ENDPOINT GUESTS AUTHENTICATED

/upload 30 / min 1000 / min

/f/{id} 60 / min 2000 / min

/manage/{token} 20 / min 600 / min

/delete/{token} 20 / min 600 / min