Valet key is a useful pattern for when users of a cloud application need to upload or download files.

The idea is to create temporary tokens that give limited access to a single blob in a cloud store, and have the client upload or download directly to/from that cloud store, rather than through the application.

The principal interest of this pattern is to offload data transfer from the application, reducing both the load on the application servers (memory, caching, networking) and the complexity on the application (handling streaming, caching, memory optimization, etc.).

To upload a file, the webpage is asking for a write-only token from the API. In Azure, this token is called a Shared Access Signature (SAS). It allows its bearer to write directly to the cloud store for a limited period of time1. The API validates the request, and through its access to the storage account, generate the SAS. The webpage then uses that URL with the Azure Blob Storage SDK to upload the file, possibly doing so in multiple blocks2.

To download a file, the webpage is asking the API for a read-only SAS, then redirects the browser to this URL, which triggers the download directly from blob storage.


A demo of this pattern is available on GitHub.


  1. validity period for that token can be dynamically tailored to the size of the file being uploaded/downloaded. 

  2. this is abstracted away from you by the SDK so you don’t have to do anything to get that.