Rocket Chat File Upload Settings

Configure file uploads and storage on your workspace. To access these settings, go to Manage → Workspace → Settings → File Upload.

Important
Remember to click Save Changes to apply any changes made.
The file upload settings are available for self-managed workspaces only. Cloud-hosted workspaces have this pre-configured using the Amazon S3 storage type. For details on cloud-hosting services, refer to the Cloud Hosting Service Level Agreement (SLA).

General file upload settings

These settings control file uploads across your workspace, including size limits, accepted file types, access restrictions, JWT protection, and the storage backend. Use the table below to configure each option.

Field	Description
File Uploads Enabled	Turns file uploads on or off across the workspace.
Maximum File Upload Size (in bytes)	Maximum allowed file size for uploads. Use `-1` to remove the limit. Match this value to your proxy's upload limit if you use one.
Accepted Media Types	A comma-separated list of media types users are allowed to upload. Leave blank to accept all media types.
Blocked Media Types	A comma-separated list of MIME types to block (with or without spaces). Takes priority over Accepted Media Types. For example, `text/plain,image/jpeg,video/mp4` blocks `.txt`, `.jpeg`, `.jpg`, and `.mp4` files.
Protect Uploaded Files	When enabled, only authenticated users can access uploaded files. When disabled, anyone with the file URL can download it.
Restrict files to rooms' members	Limits access to files in a room to that room's members.
Restrict files to users who can access the room	Lets anyone with access to a room download its files, including users outside the member list, such as Livechat managers, monitors, or agents with permission to view closed rooms. Mutually exclusive with Restrict files to rooms' members, and disabled while that setting is on.
Rotate images on upload	Automatically rotates images on upload. May reduce image quality.
Enable JSON Web Tokens protection to file uploads	Appends a JWT to uploaded file URLs. This option only takes effect when a secret is set in File Upload Json Web Token Secret. If the secret is empty, no token is generated and JWT protection is not applied.
File Upload Json Web Token Secret	The JWT secret used to grant access to uploaded files without authentication.
Storage Type	The storage backend for file uploads. Options: GridFS: The default MongoDB storage. See Recommendations for File Upload for details. AmazonS3: For Amazon S3 storage. Configure the S3 settings below. Minio is also configured through this option, see the Minio guide. Google Cloud Storage: For Google Cloud Storage. Configure the Google Cloud Storage settings below. WebDAV: For WebDAV storage. Configure the WebDAV settings below. FileSystem: For local file system storage. Configure the File System settings below. We recommend Amazon S3, Minio, or Google Cloud Storage.
File Uploads Enabled in Direct Messages	Allows file uploads in direct messages.

Note on the default media type:
Unknown file extensions default to application/octet-stream. To accept only known file extensions, add application/octet-stream to Blocked Media Types.

A Restore defaults button at the bottom of this section reverts these settings to their original values.

Configure file system storage

Use these settings if you selected FileSystem as your storage type. In your workspace, go to Settings → File Upload → File System and configure the following:

Field	Description
System Path	The local path on the server where uploaded files are stored.

See Recommendations for File Upload for how File System storage works.

Configure Google Cloud Storage

Use these settings if you selected Google Cloud Storage as your storage type. For setup details, see the Google Cloud Storage documentation.

In your workspace, go to Settings → File Upload → Google Cloud Storage and configure the following:

Field	Description
Google Storage Bucket Name	The name of the bucket where files are uploaded.
Google Storage Access ID	The access ID, or username, of the service account with access to your Cloud Storage bucket. Usually in email format, for example, `example-test@example.iam.gserviceaccount.com`.
Google Storage Secret	A `.pem` containing your private key and certificate. See the Meteor Slingshot Google Cloud guide for how to generate the keys.
Project ID	The project ID from the Google Developer's Console.
Proxy Avatars	Routes avatar files through your server instead of serving them directly from the asset URL.
Proxy Uploads	Routes uploads through your server instead of serving them directly from the asset URL.
Proxy User Data Files	Routes user data files through your server instead of serving them directly from the asset URL. Applies, for example, when exporting a room as file.

More about Google Storage Secret

The Google Storage Secret field expects a PEM file used to connect to your Cloud Storage bucket. When you create a service account, you download a JSON file containing several variables. You need the unescaped private key and one of the certificates linked at the bottom of the JSON.

The format looks like a standard PEM file:

-----BEGIN PRIVATE KEY-----
unescaped private key goes here
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
first certificate goes here
-----END CERTIFICATE-----

Paste this into Rocket.Chat to authenticate with Google and store files in the bucket.

Configure Amazon S3 file storage

Use these settings if you selected AmazonS3 as your storage type. For Amazon S3 setup, see the Amazon S3 documentation.

In your workspace, go to Settings → File Upload → Amazon S3 and configure the following:

Field	Description
Bucket name	The name of your Amazon S3 bucket.
Acl (optional)	A canned ACL configuration. See the complete list of canned ACLs.
Access Key	Your Amazon access key ID. Leave empty if running on an EC2 instance with an attached instance profile that has the right S3 permissions on the bucket.
Secret Key	Your Amazon secret access key. Leave empty if running on an EC2 instance with an attached instance profile that has the right S3 permissions on the bucket. If `AWSAccessKeyId` and `AWSSecretAccessKey` are both empty, the AWS SDK falls back to the usual credential locations.
CDN Domain for Downloads (optional)	The CDN domain associated with your bucket, if any.
Region (optional)	The region code of your bucket, if it isn't in the US Standard region. See the list of region codes.
Bucket URL (optional)	Overrides the URL used for uploads. Also used for downloads unless a CDN is set.
Force Path Style	Forces path-style URLs for the bucket. See the AWS documentation: Virtual hosting of buckets and forcePathStyle.
FileUpload_S3_SignatureVersion	The AWS signature version used for authenticated requests. Defaults to `v4`.
URLs Expiration Timespan	How long, in seconds, Amazon S3 generated URLs remain valid. Values under 5 seconds are ignored. If files load inconsistently for users far from the server, try increasing this value.
Proxy Avatars	Routes avatar files through your server instead of serving them directly from the asset URL.
Proxy Uploads	Routes uploads through your server instead of serving them directly from the asset URL.
Proxy User Data Files	Routes user data files through your server instead of serving them directly from the asset URL. Applies, for example, when exporting a room as file.

Amazon S3 CORS configuration

Apply the following CORS configuration to your bucket.

XML format (for the old AWS console interface):

[
    {
        "AllowedHeaders": [
            "*"  
        ],
        "AllowedMethods": [
            "PUT",
            "POST",
            "GET",
            "HEAD"
        ],  
        "AllowedOrigins": [
            "*ROCKET_CHAT_DOMAIN*"
        ],  
        "ExposeHeaders": [], 
        "MaxAgeSeconds": 3000
    } 
]

JSON format (for the new AWS console interface):

[
  {
    "AllowedHeaders": [
        "*"
    ],
    "AllowedMethods": [
        "PUT",
        "POST",
        "GET",
        "HEAD"
    ],
    "AllowedOrigins": [
        "*ROCKET_CHAT_DOMAIN*"
    ],
    "ExposeHeaders": [],
    "MaxAgeSeconds": 3000
  }
]

Note:
Replace *ROCKET_CHAT_DOMAIN* with your Rocket.Chat domain, for example, https://chat.example.com. Setting CORS to * is a security risk because it allows requests from any host on the internet.

Configure WebDAV storage

Use these settings if you selected WebDAV as your storage type.

In your workspace, go to Settings → File Upload → WebDAV and configure the following:

Field	Description
Upload Folder Path	The WebDAV folder path where files are uploaded.
WebDAV Server Access URL	The URL of the WebDAV server. See WebDAV URLs of Common Cloud Storage Services for reference.
WebDAV Username	Your username for the remote WebDAV server.
WebDAV Password	Your password for the remote WebDAV server.
Proxy Avatars	Routes avatar files through your server instead of serving them directly from the asset URL.
Proxy Uploads	Routes uploads through your server instead of serving them directly from the asset URL.
Proxy User Data Files	Routes user data files through your server instead of serving them directly from the asset URL. Applies, for example, when exporting a room as file.

For more details, or if you are facing issues with file uploads, see the File Upload FAQ.

If you change the storage type, previously uploaded files won't be available unless you revert the change.