API Documentation

POST /api/upload

Upload a file to Google Drive

Headers (Optional)

Authorization: Bearer YOUR_TOKEN

Form Data

file: (required) The file to upload
description: (optional) File description
folder: (optional) Folder path, requires auth

Example

curl -X POST https://lootsta.sh/api/upload \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -F "file=@document.pdf" \
  -F "description=My document" \
  -F "folder=/documents"

Response

{
  "success": true,
  "hash_id": "a7b3f2c1",
  "url": "https://lootsta.sh/f/a7b3f2c1",
  "filename": "document.pdf",
  "size": 1024000,
  "team": "shellforce"
}

GET /f/{hashID}

Download or preview a file (no auth required)

Parameters

?dl=1 - Force download (skip preview)

Example

# Direct download
wget https://lootsta.sh/f/a7b3f2c1

# Force download (skip preview)
curl -O https://lootsta.sh/f/a7b3f2c1?dl=1

GET /api/files

List files (requires auth, team-filtered)

Headers

Authorization: Bearer YOUR_TOKEN (required)

Query Parameters

folder: Filter by folder path (optional)
limit: Number of results (default: 50)
offset: Pagination offset (default: 0)

Example

curl https://lootsta.sh/api/files?limit=100 \
  -H "Authorization: Bearer YOUR_TOKEN"

POST /api/files/search

Search files by name/description (requires auth)

Headers

Authorization: Bearer YOUR_TOKEN (required)
Content-Type: application/json

Body

{
  "query": "search term",
  "folder": "/optional/path",
  "limit": 50
}

Example

curl -X POST https://lootsta.sh/api/files/search \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"query":"screenshot","limit":50}'

DELETE /api/files/{hashID}

Delete a file (requires auth)

Example

curl -X DELETE https://lootsta.sh/api/files/a7b3f2c1 \
  -H "Authorization: Bearer YOUR_TOKEN"

GET /api/folders

List all folders (requires auth, team-filtered)

Headers

Authorization: Bearer YOUR_TOKEN (required)

Example

curl https://lootsta.sh/api/folders \
  -H "Authorization: Bearer YOUR_TOKEN"

Response

{
  "folders": [
    {
      "id": 1,
      "name": "screenshots",
      "path": "/screenshots",
      "google_drive_folder_id": "1abc...",
      "created_at": "2026-01-06T20:00:00Z"
    }
  ]
}

PATCH /api/files/{hashID}/move

Move a file to a different folder (requires auth)

Headers

Authorization: Bearer YOUR_TOKEN (required)
Content-Type: application/json

Body

{
  "folder_path": "/engagements/client-alpha"
}

Example

curl -X PATCH https://lootsta.sh/api/files/abc123/move \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"folder_path":"/engagements"}'

POST /api/folders

Create a new folder (requires auth)

Body

{
  "path": "/engagements/client-alpha/creds"
}

Example

curl -X POST https://lootsta.sh/api/folders \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"path":"/engagements"}'

DELETE /api/folders/{id}

Delete a folder (requires auth)

Query Parameters

cascade=true - Delete all files in folder

Example

curl -X DELETE https://lootsta.sh/api/folders/1?cascade=true \
  -H "Authorization: Bearer YOUR_TOKEN"

GET /api/folders/{id}/download

Download entire folder as ZIP (requires auth)

Example

curl https://lootsta.sh/api/folders/1/download \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -o folder.zip

POST /api/files/download-zip

Download multiple files as ZIP (requires auth)

Body

{
  "file_ids": ["abc123", "def456", "ghi789"]
}

Example

curl -X POST https://lootsta.sh/api/files/download-zip \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"file_ids":["abc123","def456"]}' \
  -o files.zip

POST /api/paste

Create a paste (no auth required)

Body

{
  "content": "paste content",
  "is_encrypted": false,
  "password": "optional",
  "syntax": "javascript",
  "expires_in": "24h"
}

Expiry Options

1h, 24h, 7d, 30d, 1y, never

Example

curl -X POST https://lootsta.sh/api/paste \
  -H "Content-Type: application/json" \
  -d '{
    "content":"console.log(\"hello\");",
    "syntax":"javascript",
    "expires_in":"24h"
  }'

GET /paste/{hashID}

View a paste (HTML page)

Example

https://lootsta.sh/paste/b8c4g3e2
https://lootsta.sh/paste/b8c4g3e2#key=encryptionkey

GET /paste/{hashID}/raw

View raw paste content (plain text)

Note

Password-protected pastes cannot be viewed in raw format

Example

curl https://lootsta.sh/paste/b8c4g3e2/raw

Admin Endpoints

All admin endpoints require admin bearer token

Create Team

POST /api/admin/teams
Body: {"name":"teamname"}

Create User

POST /api/admin/users
Body: {"username":"user","team_id":1,"is_admin":false}

List All Files

GET /api/admin/files
Header: Authorization: Bearer ADMIN_TOKEN

Trigger Backup

POST /api/admin/backup
Header: Authorization: Bearer ADMIN_TOKEN

Endpoints

Authentication

Headers (Optional)

Form Data

Example

Response

Parameters

Example

Headers

Query Parameters

Example

Headers

Body

Example

Example

Headers

Example

Response

Headers

Body

Example

Body

Example

Query Parameters

Example

Example

Body

Example

Body

Expiry Options

Example

Example

Note

Example

Admin Endpoints

Create Team

Create User

List All Files

Trigger Backup

Rate Limits