How to securely implement POST Attachment

Last updated: August 6, 2025

Overview

Merge requires publicly accessible URLs for attachment processing through our POST Attachments endpoints to effectively and efficiently transfer attachment data to your desired third-party platforms.⁠⁠ With the right security measures in place, you can ensure that your attachment URLs remain accessible only to Merge while meeting your security requirements!

Recommended S3-Based File Storage Solution for Merge Customers

When implementing attachment uploads for Merge's ATS, Accounting, or File Storage integrations, we recommend the following S3-based approach with pre-signed URLs provides the optimal balance of security, accessibility, and performance.

Implementation Components

Secure File Storage

  • Store attachment files in a dedicated, private S3 bucket

  • This ensures files remain private by default

Pre-signed URL Access

  • Generate time-limited, pre-signed URLs

  • These URLs provide controlled access without making your entire bucket public

  • Configurable expiration times (recommend 1-3 hours based on existing successful implementations)⁠⁠

Network Security

  • Implement S3 bucket policies restricting access to known Merge IP addresses

  • Request current Merge IP ranges from your Customer Success Manager or Merge support

  • This adds an additional security layer beyond URL expiration

Infrastructure Management

  • Use Infrastructure as Code (CloudFormation/Terraform) for consistent deployment

  • Define bucket policies, access controls, and configurations in version-controlled templates

  • This ensures reproducible deployments across environments

Integration Requirements

Your POST Attachment implementation should include:

  • File upload handling - Store files in your private S3 bucket

  • URL generation - Create pre-signed URLs when submitting to Merge's POST Attachment

  • Error handling - Manage upload failures, expired URLs, and access denied scenarios

  • Monitoring - Track upload success rates and URL generation patterns

Security Considerations

Based on Merge's experience with successful customer implementations:⁠⁠

  • Temporary access only - Files should only be accessible during the window where you will call POST Attachment

  • IP restrictions - Combine pre-signed URLs with IP whitelisting where possible

  • Expiring links - Use short expiration times to minimize exposure windows

  • Clean-up processes - Consider automated deletion of files after successful processing

Benefits for Your Integration

This approach provides:

  • Merge compatibility - Works seamlessly with all Merge attachment endpoints⁠⁠

  • Security compliance - Files remain in your private infrastructure with controlled access

  • Scalability - Handles high-volume attachment processing efficiently

Contact your Merge Customer Success Manager or Merge Support for current IP address ranges and any integration-specific requirements for your use case.