Private Attachments

Sunshine Conversations offers the option to host attachments in privately accessible cloud storage. By doing so, users will need to request access to view their privately stored attachments.

Uploading private attachments

For attachments sent by users, business actors (appMakers) can update their apps’ settings to change the default attachment storage access level setting (attachmentsAccess) to enable this feature. This can be done when creating an app or by updating an existing one. See App settings for more details. When set to private, all user attachments received from third-party channels will be uploaded to privately accessible cloud storage, and require an appropriately-scoped cookie in order to access their attachments.

For attachments sent by the business, appMakers needs to specify each attachment’s access level when using the Attachments API.

To access attachments that are set to private, viewers will need to implement the authorization logic below.

Authorization

In order to view private attachments, request an appropriate media jsonwebtoken (JWT) and visit the /cookie endpoint from the browser to set the cookie (examples below). By default, media tokens are valid for 2 hours; see App settings for more details.

Generating media JWT

Each Media JSON Web Token (JWT), used to set an access cookie, includes a path parameter that references a specific app. In the request to create JWTs, the paths list can contain one or more resource paths; a media JWT will be returned for each resource path provided. See the Generate media token API for more information.

This API offers multiple ways to view attachments

Allowing all files under an app

Payload
{
    "paths": ["/apps/c7f6e6d6c3a637261bd9656f"]
}
Response
{
    "tokens": {
        "/apps/c7f6e6d6c3a637261bd9656f": "media-jwt"
    }
}

Allowing all files under a conversation

Payload
{
    "paths": ["/apps/c7f6e6d6c3a637261bd9656f/conversations/c7f616d6c3a637261bd965sf"]
}
Response
{
    "tokens": {
        "/apps/c7f6e6d6c3a637261bd9656f/conversations/c7f616d6c3a637261bd965sf": "media-jwt"
    }
}

Allowing a single file

Payload
{
    "paths": [
        "/apps/c7f6e6d6c3a637261bd9656f/conversations/c7f616d6c3a637261bd965sf/drOg2uW39Z3eHHLzXNTByrc8/xtRHpX7sdbfVI4Bs2JQbEXKL.png"
    ]
}
Response
{
    "tokens": {
        "/apps/c7f6e6d6c3a637261bd9656f/conversations/c7f616d6c3a637261bd965sf/drOg2uW39Z3eHHLzXNTByrc8/xtRHpX7sdbfVI4Bs2JQbEXKL.png": "media-jwt"
    }
}

Requesting a media token for a conversation that has other conversations merged to it

When making a request to generate a jwt for a conversation that has other conversations merged to it, you will also get jwts for the 10 most recently merged conversations. If you require to view attachments for older conversations then you will need to make an app level media token request.

Example media token

eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6IjM3NzdBNUM3LUI3QUQtNDEyMC1BNEVDLUNBNzk1ODlDRTYxNSJ9.eyJwYXRoIjoiL2FwcHMvNWVkYTk3ZDBhNmQ5ZmUwMDBmN2U2ODQyIiwiZXhwIjoxNTkzMjA2MzEzLCJpYXQiOjE1OTMxOTkxMTN9.R1i7e5YgRHv_QjUqUcP9c5xa4VgJ5aen675V84r1euCjNz165qqkZaep6of7aXNBKsZ29AI1CgbVt_nPn3ZsYTBc1cQ96ucqTv8tFR0FHf20-oR-_1egdyyLqJjxb0UI1wGZPGCP8mEs3mQwMu4lvZMF9vaty1Ye8wy-lPAPYFuZMb1rCES0QT6QUOAn45hAAfdT1zKqQ8ImV5eWVi6m0ENqV-JjExsiZ2mAMwyguDJ5yJUQLGKOV3f_Our1fVWfit5cGoMk-97o3009o628gVfSZVzPuvdNIfQOb0UUr_ELsI2qbY_Ju4REpSqYwdkjvSd3T20baf5K7_FGOrxPQitHAZojQAdlRK3mB-kC3IbVa93YFBcLK5UbRXnJYAo24UH828vU-MLgRrgzD6oVpcxNk8yyaLThJpTynO9Eoi0vKJ0m-_3A1ASKzYrR6ZZZWmRsFtZVtlpS21oYuO2tvS4EkbM8AhH4nh6V8oQUkQtvYIZKkEOadc0AFTjbv-le35hHLmHBZigUTRoZKokeglSDKr0FwDZylp7V3O8l6X0EhOU0BCoP1UYrEf8GjPdSLvu0Mno_k6hFw2Hx9DTdvnybZYroMkG31To2nmVhPglZ4FCswGV85HcqCcWQjhugFmB--9aE19G-OGOVFJfH6rFp0_cB4AxM9kSHQsWyuUs

Example media token contents

Headers:

{
    "alg": "RS512",
    "typ": "JWT",
    "kid": "key-id"
}

Payload:

{
    "path": "/apps/c7f6e6d6c3a637261bd9656f",
    "exp": 1590526689,
    "iat": 1590519489
}

Once you have generated the media JWT, you will be able to call the Set Cookie API. The token will need to be passed within the headers, as follows:

Authorization: Bearer {media-jwt}

After calling this API, you should notice a new zendesk_media_token cookie with a path that matches the resource(s) you allowed previously.

Viewing the private attachment

Finally, while you have the previously added cookie in your browser, you will be able to view the attachment. Using the above example, you would be able to view the attachment at the following url:

https://privatemedia.smooch.io/apps/c7f6e6d6c3a637261bd9656f/conversations/a77caae4cbbd263a0938eba0/BrlpkPpMZ7shJyTA1U5Wt35T/spongebob.png