Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Card attachments *now* inherit board privacy settings?

It used to be that attachments on private boards were publicly-accessible, as mentioned in previous threads like this one:

Our business built an app on top of the API that relies on these attachments (images, specifically) being publicly-accessible.

But now, it looks like these attachments now require the same permissions the boards themselves require. And, I've so far been unable to find anything in the API that would allow me to at least make these images accessibly via a proxy or any other means.

Does anyone know if this was intentional, if they plan on adding API access to attachments, or if there's any other way we can make attachments on private boards publicly-accessible?

3 answers

1 accepted

3 votes
Answer accepted

After doing some digging on the developer community board, I see that requiring auth for private board attachments has been a planned change:

The solution is to add auth headers to your get request, like:

Authorization: OAuth oauth_consumer_key="<KEY>", oauth_token="<TOKEN>"

Because I don't want to expose my API credentials, I had to create an intermediate proxy service that attaches the auth headers and streams the results back.

@Bryan Buchanan 

I worked on the same yesterday. I create a file and make it accessible as a download which is the recommendation. You mention “stream” in your post, can you share how you did it? How would you handle the different media types and file types? Is the a generic binary object type I should use?

@milynnus By no means do I claim this is good or correct, but this is the method I'm using for now. It's not actually streaming, but that isn't a huge deal for my particular application.

@Bryan Buchanan 

Thanks for sharing. I found out that there is type=stream for large files. Got it to work and I am able to get files downloaded. Will try with a pdf to see it will work.

I think the goal is to provide a url and and a zipfile of all the contents is made available. That seems to be the ease of sharing that is need. Best it can be provided as a service from Trello board.


I am trying to access a card's attachment vía API, but the following error shows "unauthorized permission requested".

I did all the instruction that is showed in this announcement:

The following URL is of the attachment I want to preview and where I put queries with API Key and Token access code.*******&token=*******

I do not think the query parameters are wrong because I used it with the following HTTPS call to get card's attachments links and it worked:*******&token=*******

¿What can be the problem?

Best regards

I believe the key and token need to be added to the request's headers, not just appended as a query string, as they are in your example. It does indeed behave a bit different than the existing API calls.

I tried with OAuth too, but maybe I am doing something wrong. ¿Can you check please?

Consumer Key={Here I put API KEY}
Consumer Secret={Here I put OAuth Secret provided in}
Access Token={Here I put API Token}
Token Secret={Nothing}

What are you using to make the request? The link I posted earlier in another reply has an example for adding the headers to a request made from Node.

I fixed it. 

I was using an Zapper-like webapp where I had to put that data. I needed to append Key and Token as Oauth and not just as query string.


I am also desperately looking for a way to regain this feature.  This new sharing seriously affects our workflow making Trello less convenient. 

Check out my previous answer

It’s not too difficult, I was just having a tough time finding info about the change.

Add the appropriate auth headers to the GET request, and you have your file. 

If you need to hide your key/token, make the request server-side, then serve/stream the file back as the response.

Update: Here's a quick example written for NodeJS. I'm sure there are better ways of serving or streaming the file back to the viewer, but this at least illustrates the process:

Sorry, this is beyond my skills.  I have no idea what to do with the code or where to upload it.  I am a user that needs to share attachments from a private board, and preview files as it was 2 months ago. 

@Martin Purmensky 

I am also trying to figure out how to deploy something like this.

Currently the best I can do is to send an url via email to the user (it a fake url so it will not work)


It works welcome with Chrome but Safari does not support the basic authentication.

Hidden behind the endpoint will be a server program that will gather all the attachments from a card and the user will be able to download them. Because it tricks a download it cannot be activated from Butler.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted in Trello

Taco Tuesday: New years' resolutions with Trello

Congratulations to @Laura Holton , our latest winner of Taco Tuesday! And thanks to @Kristján Geir Mathiesen for sharing the picture of Taco having fun with his new friend  B...

2,321 views 28 40
Join discussion

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you