Signed URLs expire so files do not

The portal stores files in Cloudflare R2, but the database never holds a full URL. It holds a key — a path like uploads/1714000000-mastered-track.wav. When a client clicks download, the API generates a signed URL that expires in twenty-four hours. When an admin uploads a file, the API generates a signed upload URL that expires in one hour. The file lives in R2 indefinitely. The access to it is always temporary. This means there are no permanent public links to client files floating around in email threads or browser history. Every download is authenticated — the API checks whether the logged-in user is an admin or whether their client record matches the project the file belongs to. If neither, the request is rejected before a URL is ever generated. The upload flow is two steps. First, the admin requests a presigned upload URL. The client-side code uploads directly to R2 using that URL — the file never passes through the Next.js server. Second, the admin calls a completion endpoint that creates an Attachment record in the database linking the R2 key to the project. One file, one key, one record. The same pipeline handles audio stems, accessibility reports, software source code, and production session recordings.