Get Started
Overview
Everything a user needs to start using dlvr.sh today: web uploads, share links, REST API paths, limits, and the current security model.
Quickstart
dlvr.sh is built for temporary file delivery. Upload a file in the web UI or through the API, get a short share link, and let the service handle expiry, optional passwords, and download limits.
The fastest way to try the service is the homepage uploader. For automation, install the CLI or use the REST API. Small files can go through a single multipart request. Larger files use a two-step direct upload flow.
Web
Choose a file, pick a preset or custom expiry date, optionally add a password or download limit, and upload from the homepage.
CLI
Install @dlvr/cli, run dlvr, and upload from the terminal with prompts or flags.
REST API
Use POST /api/upload for smaller files or the direct upload session flow for larger ones.
CLI quickstart
npm install -g @dlvr/cli
dlvr --file ./report.pdf --email team@example.com --duration 24hSmall file via REST
curl -X POST https://dlvr.sh/api/upload \
-F "file=@./report.pdf" \
-F "duration=24h" \
-F "password=secret" \
-F "maxDownloads=10" \
-F "notify=team@example.com"Web uploads
The homepage uploader supports one file at a time and exposes the same core options as the API: expiry controls, password, max downloads, and optional notification emails.
- The homepage offers 1h, 24h, and 3d presets plus a custom date and time up to 7 days out.
- Smaller files upload inline through the Worker.
- Larger files switch to a direct upload flow when direct uploads are enabled on the deployment.
- Notification emails are limited to 3 recipients per upload.
- Audio uploads are blocked, and anonymous videos over 700 MB are rejected.
- Successful uploads return a short share URL in the form
/f/<short-id>/.
Direct upload availability
503.
Limits and current behavior
| Item | Current behavior |
|---|---|
| Inline API upload | About 95 MiB |
| Overall file size limit | 2 GiB |
| Durations | 1h, 24h, 3d, 7d |
| Homepage expiry picker | 1h, 24h, 3d, or a custom date up to 7 days out |
| Max downloads | Optional, normalized to a positive integer up to 10,000 |
| Notification recipients | Up to 3 email addresses per upload |
| Anonymous upload quota | 10 uploads per rolling 30 days per anonymous owner |
| Blocked media | All audio uploads, plus anonymous videos at or above 700 MB |
| Authentication | No user auth required today |
Large-file REST uploads are two-step
curl -F request is only for the inline upload path. Larger REST uploads use POST /api/uploads, an R2 upload URL, and then POST /api/uploads/:uploadId/complete.
Security and privacy
dlvr.sh is designed for temporary delivery, not permanent storage. Files can be protected with a password, limited by download count, and expire automatically based on the selected duration.
- Passwords are supported on uploads and required on download when set.
- Notification emails include the share URL and file metadata, but not the plaintext password.
- The service stores the metadata required to enforce expiry, passwords, and download limits.
- Anonymous upload enforcement uses a first-party browser token when available and falls back to hashed IP metadata.
- The public share link is the only thing needed to reach the download page unless a password is configured.
For public endpoint reference and request examples, continue to the REST API docs.