serverpod/serverpod-file-uploads
packages/serverpod/skills/serverpod-file-uploads/SKILL.md
File uploads in Serverpod — upload descriptions, verification, storage backends (database, S3, GCP). Use when implementing file uploads or cloud storage.
$ install --global
skillsauthnpx skillsauth add serverpod/serverpod serverpod-file-uploadsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 6, 2026, 4:49 AM113.0s1 file scanned
SKILL.md
- name:
- serverpod-file-uploads
- description:
- File uploads in Serverpod — upload descriptions, verification, storage backends (database, S3, GCP). Use when implementing file uploads or cloud storage.
Serverpod File Uploads
Flow: server issues upload description → client uploads → server verifies. Default storage is the database; use S3, GCP, R2, or compatible object storage for production.
Server: create upload description
Future<String?> getUploadDescription(Session session, String path) async {
return await session.storage.createDirectFileUploadDescription(
storageId: 'public',
path: path,
);
}
Always authorize the request and derive the path from trusted server-side state (user id, tenant id, object id). Do not accept arbitrary client paths.
Server: verify upload
Future<bool> verifyUpload(Session session, String path) async {
return await session.storage.verifyDirectFileUpload(
storageId: 'public', path: path);
}
Always verify after client upload when using object storage.
Client: upload
var desc = await client.myEndpoint.getUploadDescription('profile/$userId/avatar.png');
if (desc != null) {
var uploader = FileUploader(desc);
await uploader.upload(byteDataOrStream);
await client.myEndpoint.verifyUpload('profile/$userId/avatar.png');
}
Use Stream for large files. Paths: no leading slash, object-store compatible, normalized, and scoped to the authenticated user/tenant.
Security checklist
- Require authentication/authorization for both description and verification endpoints.
- Validate or derive content type, size, and extension before issuing descriptions.
- Never let clients choose cross-tenant paths or storage IDs.
- Store metadata in your database after
verifyDirectFileUploadsucceeds.
Accessing stored files
session.storage.fileExists(storageId: 'public', path: path)session.storage.getPublicUrl(storageId: 'public', path: path)(public storage only)session.storage.retrieveFile(storageId: 'public', path: path)
Storage backends
- Database (default):
publicandprivatestorages. Fine for dev. - Google Cloud Storage: Add
serverpod_cloud_storage_gcp, set HMAC keys inpasswords.yamlor env. Register:pod.addCloudStorage(GoogleCloudStorage(...)). - AWS S3: Add
serverpod_cloud_storage_s3, set AWS keys. Register:pod.addCloudStorage(S3CloudStorage(...)). - S3-compatible/R2: Use the matching integration package when targeting compatible providers.
Use storageId: 'public' or 'private' when replacing defaults.
Related Skills
serverpod/serverpod-flutter-frontend
development
VerifiedTrustedCommunity
Build highly distinctive, production-ready Flutter interfaces with exceptional design fidelity. Include this skill whenever a user requests Flutter widgets, screens, or full apps.
3,192SKILL.mdUpdated Jun 4, 2026
serverpod/serverpod-auth
testing
VerifiedTrustedCommunity
Serverpod Authentication — Signing in users, verify if they are authenticated, assinging scopes (e.g., admin). Use when adding features that require the user to be signed in.
3,192SKILL.mdUpdated May 13, 2026
serverpod/serverpod-webserver
development
VerifiedTrustedCommunity
Serverpod web server (Relic) — REST APIs, webhooks, middleware, static files, server-rendered HTML, SPAs, Flutter web. Use when adding HTTP routes, serving web pages or web apps, intercepting requests, or working with the Relic web server.
3,187SKILL.mdUpdated Apr 15, 2026
serverpod/serverpod-overview
tools
VerifiedTrustedCommunity
Serverpod overview — what it is, project structure, how to work with. Always use at least once when working with projects that use Serverpod.
3,180SKILL.mdUpdated Apr 15, 2026