Support Portal Documentation Changelog Status

How to securely implement POST Attachment

Last updated 10 months ago

Overview

Merge requires publicly accessible URLs for attachment processing through our POST Attachments endpoints to effectively and efficiently transfer attachment data to your desired third-party platforms.⁠⁠ With the right security measures in place, you can ensure that your attachment URLs remain accessible only to Merge while meeting your security requirements!

Recommended S3-Based File Storage Solution for Merge Customers

When implementing attachment uploads for Merge's ATS, Accounting, or File Storage integrations, we recommend the following S3-based approach with pre-signed URLs provides the optimal balance of security, accessibility, and performance.

Implementation Components

Secure File Storage

  • Store attachment files in a dedicated, private S3 bucket

  • This ensures files remain private by default

Pre-signed URL Access

  • Generate time-limited, pre-signed URLs

  • These URLs provide controlled access without making your entire bucket public

  • Configurable expiration times (recommend 1-3 hours based on existing successful implementations)⁠⁠

Network Security

  • Implement S3 bucket policies restricting access to known Merge IP addresses

  • Request current Merge IP ranges from your Customer Success Manager or Merge support

  • This adds an additional security layer beyond URL expiration

Infrastructure Management

  • Use Infrastructure as Code (CloudFormation/Terraform) for consistent deployment

  • Define bucket policies, access controls, and configurations in version-controlled templates

  • This ensures reproducible deployments across environments

Integration Requirements

Your POST Attachment implementation should include:

  • File upload handling - Store files in your private S3 bucket

  • URL generation - Create pre-signed URLs when submitting to Merge's POST Attachment

  • Error handling - Manage upload failures, expired URLs, and access denied scenarios

  • Monitoring - Track upload success rates and URL generation patterns

Security Considerations

Based on Merge's experience with successful customer implementations:⁠⁠

  • Temporary access only - Files should only be accessible during the window where you will call POST Attachment

  • IP restrictions - Combine pre-signed URLs with IP whitelisting where possible

  • Expiring links - Use short expiration times to minimize exposure windows

  • Clean-up processes - Consider automated deletion of files after successful processing

Benefits for Your Integration

This approach provides:

  • Merge compatibility - Works seamlessly with all Merge attachment endpoints⁠⁠

  • Security compliance - Files remain in your private infrastructure with controlled access

  • Scalability - Handles high-volume attachment processing efficiently

Contact your Merge Customer Success Manager or Merge Support for current IP address ranges and any integration-specific requirements for your use case.

Related Articles
Accessing Customer API Keys Which integrations are self-serve, and which are not?