Skip to main content

What It Does

The Attachments API lets you create metadata records for product attachments, list attachments for a product, and soft-delete attachments. Attachment metadata is managed through RPCs; actual file upload and download use the storage layer separately.

Authentication & Permissions

All RPCs require an authenticated session. Mutations require a role with sufficient permissions for the target brand.

RPCs

create_product_attachment_record

Creates a metadata record for a new product attachment. Request 
{
  "_brand_id": "uuid",
  "_product_id": "uuid",
  "_filename": "test-report.pdf",
  "_mime_type": "application/pdf",
  "_size_bytes": 204800
}
Response 
{
  "id": "uuid",
  "product_id": "uuid",
  "filename": "test-report.pdf",
  "mime_type": "application/pdf",
  "size_bytes": 204800,
  "storage_path": "brand-uuid/product-uuid/attachment-uuid",
  "created_at": "2026-01-15T12:00:00Z"
}
Errors
  • Not authenticated — request has no valid JWT.
  • Forbidden — caller does not have sufficient access.
  • Invalid input — request is malformed or cannot be processed.
Notes
  • This RPC creates the metadata record only. File upload is handled separately via the storage layer.

list_product_attachments

Returns all active (non-deleted) attachments for a product. Request 
{
  "_brand_id": "uuid",
  "_product_id": "uuid"
}
Response 
[
  {
    "id": "uuid",
    "filename": "test-report.pdf",
    "mime_type": "application/pdf",
    "size_bytes": 204800,
    "storage_path": "brand-uuid/product-uuid/attachment-uuid",
    "created_at": "2026-01-15T12:00:00Z"
  }
]
Errors
  • Not authenticated — request has no valid JWT.
  • Forbidden — caller does not have sufficient access.
  • Invalid input — request is malformed or cannot be processed.

soft_delete_product_attachment

Marks an attachment as deleted without permanently removing it. Request 
{
  "_brand_id": "uuid",
  "_attachment_id": "uuid"
}
Response 
{
  "id": "uuid",
  "is_deleted": true,
  "deleted_at": "2026-01-15T13:00:00Z"
}
Errors
  • Not authenticated — request has no valid JWT.
  • Forbidden — caller does not have sufficient access.
  • Invalid input — request is malformed or cannot be processed.
Notes
  • Soft-deleted attachments are excluded from list_product_attachments results.