Share links
Token-based public read access to projects, apps, and explicitly shared files.
Share routes expose read-only canvas and app views to anyone with the token. Creating or revoking share links requires a browser session with step-up — use POST/DELETE /api/v1/projects/:id/share documented in Projects.
Public read endpoints (no auth)
| Method | Path | Description |
|---|---|---|
GET | /api/v1/share/project/:token | Project canvas payload for /share/project/:token. |
GET | /api/v1/share/app/:token | App payload for /share/app/:token. |
GET | /api/v1/share/:token | Legacy alias; resolves like project share. |
GET | /api/v1/share/lab/:token | Legacy alias; redirects to /share/project/:token. |
GET | /api/v1/share/project/:token/files/:id | Download a referenced project file when the share's Files used visibility is enabled (signed redirect for private objects). |
GET | /api/v1/share/project/:token/files/:id/preview | Inline preview when the share exposes files and the MIME type supports it. |
Pages vs API
Public pages live at https://alumia.com/share/project/<token> (project) and https://alumia.com/share/app/<token>. The API routes above back those pages with JSON the read-only canvas renderer consumes.
Security
Tokens are opaque 72-character values stored on the project or app record. Revoking share clears the token immediately; the next request returns 404. Shared views never expose API keys, connector credentials, billing, or other org resources.
See Share a canvas for the dashboard workflow.