API Documentation
Everything you need to integrate with transfer.injected.wtf — upload and download encrypted files with curl, wget, or any HTTP client.
One-Command Upload
Upload any file with a single curl command and get a shareable link back instantly.
Encrypted at Rest
XChaCha20-Poly1305 encryption on the server. No client-side setup, no keys to manage.
Auto-Expiring
Files are automatically deleted after the configured expiration period. 30-day maximum.
Overview
transfer.injected.wtf is an encrypted, ephemeral file sharing service. Every file uploaded is encrypted on the server with XChaCha20-Poly1305 before it touches disk. Downloads are decrypted on-the-fly and streamed over TLS.
There is no client-side encryption and no decryption key needed. URLs are public and work everywhere — browsers, curl, wget, scripts. The goal is protecting data at rest in case of a server-side data leak.
Quick Start
# Upload a file
curl --upload-file ./secret.pdf https://transfer.injected.wtf/secret.pdf
# The response is a JSON object with the download URL
# {
# "id": "abc123def",
# "filename": "secret.pdf",
# "url": "https://transfer.injected.wtf/abc123def/secret.pdf",
# "size": 1048576,
# "expires": "2026-03-21T07:00:00.000Z"
# }
# Download it back
curl https://transfer.injected.wtf/abc123def/secret.pdf -o secret.pdf
No setup required for basic use.
Anonymous uploads work instantly with no account needed (up to 250 MB).
Create a free account to upload up to 10 GB and manage your files.
CLI Upload
Upload files from the command line using PUT requests. The filename in the URL path determines the download filename.
PUT /:filename
Stream a file to the server via HTTP PUT. This is the simplest method and works with curl's --upload-file flag.
# Basic upload
curl --upload-file ./report.pdf https://transfer.injected.wtf/report.pdf
# Set custom expiry (default: 14 days, max: 30)
curl -H "X-Max-Days: 7" --upload-file ./report.pdf \
https://transfer.injected.wtf/report.pdf
# Upload with progress bar
curl --progress-bar --upload-file ./large-backup.tar.gz \
https://transfer.injected.wtf/large-backup.tar.gz
POST /api/upload
Alternatively, use a multipart form POST. This is what the web UI uses internally. Accepts a file field and an optional maxDays field.
# Multipart upload
curl -F "file=@./photo.jpg" -F "maxDays=7" \
https://transfer.injected.wtf/api/upload
Request Headers
| Header |
Description |
Default |
| X-Filename |
Override the filename from the URL path |
Path segment |
| X-Max-Days |
Number of days before the file auto-deletes (1–30) |
14 |
| Content-Type |
MIME type of the file (auto-detected if not provided) |
application/octet-stream |
Web Upload
The web interface provides a drag-and-drop upload experience with real-time progress tracking.
How It Works
The web uploader uses the POST /api/upload endpoint internally. Simply drag a file onto the upload card, set your desired expiry, and click Upload.
Features
| Feature |
Details |
| Drag & drop |
Drop files anywhere on the upload card |
| Clipboard paste |
Paste files or screenshots directly with Ctrl+V |
| Progress bar |
Real-time XHR upload progress with percentage |
| Custom expiry |
Choose 1–30 days via the stepper control |
| Copy link |
One-click copy of the resulting download URL |
Download
Every uploaded file gets a unique, shareable download URL that works in any browser or HTTP client.
URL Format
Download URLs follow this pattern:
https://transfer.injected.wtf/{id}/{filename}
The server decrypts the file on-the-fly and streams it directly to you over TLS. No special client or decryption key is needed.
curl Download
# Download a file
curl https://transfer.injected.wtf/abc123def/secret.pdf -o secret.pdf
# Download with wget
wget https://transfer.injected.wtf/abc123def/secret.pdf
File Info API
Get metadata about a file without downloading it:
# Get file info (JSON)
curl https://transfer.injected.wtf/api/download/abc123def/info
Raw Download API
Force a raw binary download (bypasses browser content negotiation):
# Raw binary stream
curl https://transfer.injected.wtf/api/download/abc123def/raw -o file.bin
Content-Length header.
The server sends a proper Content-Length header so progress bars work correctly in curl, wget, and browsers.
Encryption
All files are encrypted server-side before being written to disk, protecting against data breaches and disk theft.
Algorithm
| Property |
Value |
| Cipher |
XChaCha20-Poly1305 |
| Key size |
256-bit |
| Nonce size |
192-bit (extended nonce) |
| Authentication |
Poly1305 MAC (authenticated encryption) |
| Key derivation |
Unique random key per file |
No client-side encryption.
The design is intentionally server-side only. This allows public URLs to work with curl, wget, and browsers without requiring a decryption key. The threat model protects against server-side data leaks, not in-transit interception (TLS handles that).
How It Works
1. You upload a file via PUT or POST.
2. The server generates a unique 256-bit key and 192-bit nonce.
3. The file is encrypted with XChaCha20-Poly1305 and written to disk.
4. The key and nonce are stored in a metadata database (not on disk with the file).
5. On download, the server reads the key from the database, decrypts the file in a stream, and sends it over TLS.
6. When the file expires, both the encrypted file and metadata are permanently deleted.
Limits
The following limits are enforced to keep the service running smoothly for everyone.
Service Limits
| Limit |
Value |
Notes |
| Max file size (anonymous) |
250 MB |
No account required. Upload via web or curl. |
| Max file size (account) |
10 GB |
Requires a free account or API key. |
| Max expiry |
30 days |
Files are auto-deleted after expiry. Default is 14 days. |
| Min expiry |
1 day |
Cannot be set lower than 24 hours. |
| Rate limit |
10 req/min |
Per-IP upload rate limit. Downloads are not rate limited. |
Rate limit exceeded?
You will receive a 429 Too Many Requests response. Wait a minute and try again.
Response Format
All API responses are JSON. Here are the response shapes for each endpoint.
Upload Success (200)
{
"id": "abc123def",
"filename": "secret.pdf",
"url": "https://transfer.injected.wtf/abc123def/secret.pdf",
"size": 1048576,
"expires": "2026-03-21T07:00:00.000Z"
}
File Info (200)
{
"id": "abc123def",
"filename": "secret.pdf",
"size": 1048576,
"mime": "application/pdf",
"expires": "2026-03-21T07:00:00.000Z",
"created": "2026-03-07T07:00:00.000Z"
}
Error Response (4xx / 5xx)
{
"error": "File not found",
"code": "NOT_FOUND",
"status": 404
}
HTTP Status Codes
| Code |
Meaning |
| 200 |
Success — upload complete or file info returned |
| 400 |
Bad request — missing file, invalid parameters |
| 404 |
File not found or expired |
| 413 |
File too large (exceeds 10 GB limit) |
| 429 |
Rate limit exceeded — wait and retry |
| 500 |
Server error — unexpected failure |
ShareX Integration
Use ShareX to upload screenshots and files directly to transfer.injected.wtf with one hotkey.
Setup
1. Create an account and go to your dashboard.
2. Generate an API key from the dashboard sidebar.
3. Click "Download .sxcu config" to get the ShareX custom uploader config file.
4. Double-click the downloaded .sxcu file. ShareX will import it automatically.
5. In ShareX, go to Destinations → Custom uploader settings and select transfer.injected.wtf as your image/file uploader.
How It Works
ShareX sends a POST to /api/upload with your API key in the X-API-Key header. Files are encrypted and stored just like web uploads, and appear in your dashboard gallery.
Manual Configuration
If you prefer to configure ShareX manually:
{
"Version": "16.1.0",
"Name": "transfer.injected.wtf",
"DestinationType": "ImageUploader, FileUploader",
"RequestMethod": "POST",
"RequestURL": "https://transfer.injected.wtf/api/upload",
"Headers": {
"X-API-Key": "YOUR_API_KEY_HERE"
},
"Body": "MultipartFormData",
"FileFormName": "file",
"URL": "{json:url}"
}
API Key Authentication
For programmatic uploads (scripts, ShareX, custom tools), include your API key in one of these headers:
# Using X-API-Key header
curl -H "X-API-Key: tfr_abc123..." \
-F "file=@./screenshot.png" \
https://transfer.injected.wtf/api/upload
# Using Authorization header
curl -H "Authorization: Bearer tfr_abc123..." \
--upload-file ./report.pdf \
https://transfer.injected.wtf/report.pdf
10 GB upload limit.
Authenticated uploads (via API key or login) can upload files up to 10 GB. Anonymous uploads are limited to 250 MB.
Accounts
Create a free account to unlock higher upload limits, file management, and API key access.
Free vs Anonymous
| Feature |
Anonymous |
Free Account |
| Max file size |
250 MB |
10 GB |
| Upload method |
Web & curl |
Web, curl, ShareX, API |
| File management |
— |
Dashboard gallery with delete |
| API key |
— |
Personal API key |
| ShareX support |
— |
.sxcu config download |
| File expiry |
1–30 days |
1–30 days |
Creating an Account
Visit the registration page and provide a username, email, and password. Your account is activated immediately.
API Key
After logging in, go to your dashboard and click "Generate new key". Your API key starts with tfr_ and is 68 characters long.
Use the API key in the X-API-Key or Authorization: Bearer header for authenticated uploads.
Keep your API key secret.
Anyone with your API key can upload files to your account. If compromised, generate a new key from the dashboard — the old one will be invalidated.