Password Uploading

UPLOAD_PASSWORD protects write actions without making the whole drive private.

Setup

Add this variable in Vercel:

UPLOAD_PASSWORD=strong-private-password

Do not use NEXT_PUBLIC_UPLOAD_PASSWORD. Upload passwords must stay server-side.

Session Behavior

When the password is accepted, VercelDrive creates a short-lived HTTP-only cookie. The cookie lets the current browser continue upload actions without re-entering the password for every file.

The upload APIs still validate the cookie on the server:

/api/upload/auth
/api/upload/session
/api/upload/reset-auth-tokens

Security Notes

Use a strong password and share it only with people who should be allowed to upload. Anyone with the upload password can create files and folders in the exposed OneDrive directory.

Password protected folders Upload files and folders