FAQ

Free anonymous file hosting. Upload up to 200 MB, get a link. No account, no tracking, no bs.

Most types — images, videos, archives, documents, audio. Executables (.exe, .bat, .cmd, .scr, .vbs, .msi, .dll, .ps1, .jar) are blocked for safety.

200 MB per file.

3 per day without an API key. With an API key, up to 50. Resets at midnight.

API keys raise your daily upload limit from 3 to 50 and unlock features like webhooks. They're issued by the admin — contact the operator to get one. Send your key via the X-Api-Key header.

No. Completely anonymous. No registration, no login.

Indefinitely for now. This may change depending on storage capacity.

Yes. When you upload a file, you get a delete token. Save it — send it via the X-Delete-Token header with a DELETE request to remove the file. No token = no delete.

Yes. Include a password field when uploading. Anyone accessing the file will need to provide the password via the X-File-Password header. Passwords are bcrypt-hashed — we never store them in plain text.

Instead of a random file ID, you can set a custom slug (3-32 chars, lowercase letters, numbers, and hyphens). Example: mysticbin.xyz/api/files/my-screenshot/view. Include slug in your upload request.

Collections let you group files together under a named set. Create a collection, get an edit token, then add files to it. Useful for organizing related uploads. Deleting a collection unlinks files but doesn't delete them.

Yes, for images (JPEG, PNG, GIF, WebP). Thumbnails are 200px WebP images generated on first request. Access via /files/{id}/thumbnail.

Yes. POST up to 10 files at once to /upload/bulk. Each file counts against your daily limit.

If you have an API key, you can register HTTPS webhook URLs to receive POST callbacks when events occur — file.uploaded, file.deleted, file.downloaded, and collection.created. Payloads are signed with HMAC-SHA256.

Yes, a full REST API. Upload, download, view, delete, collections, webhooks, and more. See the API Docs page for endpoints and code examples in curl, Python, JavaScript, Go, and Rust.

Standard multipart/form-data POST works with any language. Examples for discord.py and discord.js are in the docs.

/files/{id}/view serves files inline — images and PDFs display in the browser. /files/{id}/download always forces a download. Unsafe MIME types are forced to download regardless.

Yes. No personal data is logged. IPs are hashed with a monthly-rotating salt for rate limiting only and never tied to files.

You get a 429 status code. Check your current usage at /status. Wait until the next day or use an API key for higher limits.

Donate LTC to ltc1q96uju38au7dqgxwrhmnem3ujr4u8m0fm2svwew. Free forever — help keep it running.