HTTP headers and common query string parameters for JSON

The Cloud Storage API uses standard HTTP headers as well asseveral extension (custom) HTTP headers. This page describes:

  • All headers used by the JSON API
  • The query parameters that apply to any JSON API request

Seespecific methods for additional query string parameters not covered inthis page.

HTTP headers and common query string parameters summary

The JSON API uses the following standard HTTP headers:

Authorization
Cache-Control
Content-ID
Content-Length
Content-Range
Content-Type
Content-Transfer-Encoding
Date
ETag
Expires
If-Match
If-None-Match
Location
Range
Transfer-Encoding

The JSON API uses the following extension (custom) HTTP headers:

X-Goog-Allowed-Resources
X-Goog-Content-Length-Range
X-Goog-Custom-Audit-KEY
X-Goog-Encryption-Algorithm
X-Goog-Encryption-Key
X-Goog-Encryption-Key-Sha256		X-Goog-Copy-Source-Encryption-Algorithm
X-Goog-Copy-Source-Encryption-Key
X-Goog-Copy-Source-Encryption-Key-Sha256
X-Goog-Meta-KEY
X-Goog-Stored-Content-Encoding
X-Goog-Stored-Content-Length		X-Goog-User-Project
X-GUploader-UploadID
X-HTTP-Method-Override
X-Upload-Content-Length
X-Upload-Content-Type

The JSON API uses the following query string parameters:

alt
callback
fields		prettyPrint
quotaUser
userProject

Standard HTTP headers

Authorization

A request header that contains a string used to authenticate requests.

Valid ValuesThe authentication identifierBearer followed by a valid OAuth 2.0 token.
ExampleAuthorization: Bearer ya29.AHES6ZRVmB7fkLtd1XTmq6mo0S1wqZZi3-Lh_s- ...
DetailsYou must send an OAuth 2.0 token with every request that requires an OAuth scope.OAuth 2.0 is the only supported authorization protocol.

To create a sample access token for testing, use theOAuth 2.0 playground.

Note: If your requests are being routed through a proxy, you might need to check with your network administrator to ensure that requiredAuthorization headers are not stripped out by the proxy. Without theAuthorization header, you receive aMissingSecurityHeader error and your request is rejected. For more information about accessing Cloud Storage through a proxy server, see theTroubleshooting topic.

For additional details, see thespecification.

Cache-Control

A response header that indicates the caching directive for the request.

Valid ValuesAny valid cache-control value (see thespecification).
ExampleCache-Control: public, max-age=6000
DetailsIndicates if, and how, the response can be cached. When serving publicly accessible objects from Cloud Storage, the value forCache-Control is determined by theCache-Control metadata set on the object. To be considered publicly accessible, permission to read the object's data must be available forallUsers. If an object is publicly accessible and you have notset the object'sCache-Control metadata, Cloud Storage applies aCache-Control setting of 3600 seconds. When serving an object via the JSON API that is not publicly accessible, Cloud Storage sets the response toCache-Control: no-cache, regardless of the metadata settings for the object. For additional details, see thespecification.

Content-ID

An optional identifier in the part-header of amultipart request.

Valid ValuesAn identifier that is unique within the parts of the request.
ExampleContent-ID: <b29c5de2-0db4-490b-b421-6a51b598bd22+1>
DetailsContent-ID is only used in the body of multipart (batch) requests and only as an identifier of requests within the body. If included, any response will have a matchingContent-ID header in the corresponding part whose value will beresponse- followed by the originally supplied ID. For additional details, see thespecification.

Content-Length

The length (in bytes) of the request or response body.

Valid ValuesAny value of zero or greater.
ExampleContent-Length: 1234
DetailsThis is required for most POST and PUT commands used in uploading objects, except if you are using the headerTransfer-Encoding: chunked. When making the initial request of aresumable upload, this header should be set to the number of bytes provided in that specific request. For more information, seeObjects:insert. For additional details, see thespecification.

Content-Range

A header used in some upload requests and download responses.

Valid ValuesAny contiguous range of bytes.
ExampleContent-Range: bytes 456-987/1234
Details

When appearing in a response, theContent-Range header indicates the range of bytes being returned as a result of a request that included aRange header.

When included as part of aresumable upload request,Content-Range is used to query for the current position of the upload or as an indicator of the starting point of the block of data being uploaded in the current request.

Byte ranges are inclusive; that is,bytes 0-999 represent the first 1000 bytes in a file or object.

For additional details, particularly regarding download responses, see thespecification.

Content-Transfer-Encoding

A header used in some upload requests and download responses.

Valid ValuesAn optional request and response header that indicates the type of encoding that has been applied to the message body.
ExampleContent-Transfer-Encoding: binary
Details

This header specifies the encoding of a message body in a request.

For additional details, see thespecification.

Content-Type

The MIME type of the request or response.

Valid ValuesAny valid MIME type.
ExampleContent-Type: text/html
Details

This is required for POST and PUT commands associated with uploading objects and granting permissions; however, this command can alternatively be included in the body of the request instead of as a header (for more information, seeObjects: insert). When making the initial request of aresumable upload that also includes metadata, use the Content-Type header to specify the metadata's data type.

For additional details, see thespecification.

Date

The date and time of the request or response.

Valid ValuesA date and time represented in conventional HTTP format (see thespecification).
ExampleDate: Wed, 16 Jun 2010 11:11:11 GMT
DetailsFor information about HTTP date formats, see thespecification.

ETag

A response header that contains the entity tag of the object being accessed.

Valid ValuesA string of characters enclosed by quotes. For more information, seeObject metadata.
Example

ETag: "39a59594290b0f9a30662a56d695b71d"

ETag: "-CKicn4fknbUCEAE="

DetailsSee thespecification.

Expires

A response header indicating the time after which the response is considered stale.

Valid ValuesA date and time represented in conventional HTTP format (see thespecification).
ExampleExpires: Tue, 22 Jan 2013 18:56:00 GMT
DetailsSee thespecification.

If-Match

A request header that specifies an entity tag (ETag).

Valid ValuesA valid entity tag.
ExampleIf-Match: "881f7881ac1bc144a2672e45babb8839"
Details

This header is currently supported forGET requests. This header is supported for all resources, including buckets, objects and ACLs. If the ETag you specify with this header is the same as the ETag for the requested resource, then the request proceeds normally. If the ETag you specify with this header is different from the ETag for the requested resource, then the request fails and Cloud Storage returns a412 Precondition Failed error code.

For additional details, see thespecification.

If-None-Match

A request header that specifies an entity tag (ETag).

Valid ValuesA valid entity tag.
ExampleIf-None-Match: "881f7881ac1bc144a2672e45babb8839"
Details

This header is currently supported forGET requests. This header is supported for all resources, including buckets, objects and ACLs. If the ETag you specify with this header is different than the ETag for the requested resource, then the request proceeds normally. If the ETag you specify with this header is the same as the ETag of the requested resource, then the request fails and Cloud Storage returns a304 Not Modified status code.

For additional details, see thespecification.

Location

A response header providing a URI.

Valid ValuesAny valid URI.
ExampleLocation: https://storage.googleapis.com/upload/storage/v1/b/example-bucket/o?uploadType=resumable&...
Details

Thelocation header is used for several purposes:

  • In response to initiating a resumable upload it provides you with a session URI for a resumable upload operation.
  • In response to aCookie-based authentication request it provides you with a unique web origin response URL for the request.
  • In response to a JSON API download request made at a URL other than `www.googleapis.com/download` it provides a redirect to the JSON API URL where the download can be made.

For additional details, see thespecification.

Range

A request header indicating the range of bytes that you want returned, and aresponse header indicating the range of bytes that have been uploaded to theCloud Storage system.

Valid ValuesA contiguous range of bytes.
ExamplesRange: bytes=0-1999 (first 2000 bytes)
Range: bytes=-2000 (last 2000 bytes)
Range: bytes=2000- (from byte 2000 to end of file)
Details

When included as a header in a request for object data, only the specified range of bytes for the object gets returned, which is useful when downloading an object in parallel requests or when resuming an interrupted download. Multiple byte ranges in a single request are not accepted, and incertain circumstances theRange request header is ignored.

When returned as part of a response associated with a resumable upload,Range indicates the number of bytes currently uploaded. You can subsequently use this information tocontinue the upload.

Byte ranges are inclusive. For example,bytes=0-999 represent the first 1000 bytes in a file or object. For more information about this header, see thespecification.

Extension (custom) HTTP headers

X-Goog-Allowed-Resources

A request header that restricts the resources the request is allowed to act on.

Valid ValuesAnRFC 4648 Base64-encoded string of theorganization restriction definition.
ExampleX-Goog-Allowed-Resources: ewogInJlc291cmNlcyI6IFsib3JnYW5pemF0aW9ucy8xMjM0NTY3ODkiLCAib3JnYW5pemF0aW9ucy8xMDExMTIxMzE0Il0sCiAib3B0aW9ucyI6ICJzdHJpY3QiCn0K
DetailsThis request header prevents a request from proceeding unless each resource in the request is within an organization specified by the header. For more information, seeIntroduction to organization restrictions.

Transfer-Encoding

A request and response header that specifies if transfer-encoding had beenapplied to the message body.

Valid Valueschunked
ExampleTransfer-Encoding: chunked
Details

This header specifies if the message body of a request or response has been chunked. If it is, content is received or served in a series of chunks, with the final chunk having a length of zero. If you specifyTransfer-Encoding: Chunked, you don't need to specify aContent-Length. This can be useful if you don't know the length of the message body in advance, such as when performing a streaming upload.

For more details about Transfer-Encodings, see thespecification. For more details about chunked transfer encoding, see thespecification.

X-Goog-Content-Length-Range

APUT request header. When used, Cloud Storage only accepts the request if the size of the request's content is within the header's specified range.

Valid ValuesAMIN,MAX pair
ExampleX-Goog-Content-Length-Range: 0,256
Details The values for content size are inclusive and given in bytes. If the size of the request's content is in the specified range, it is delivered as requested. If the size of the request's content is outside the specified range, the request fails and a400 Bad Request code is returned in the response. If theX-Goog-Content-Length-Range is used in a request other thanPUT, the header is silently ignored.

X-Goog-Custom-Audit-KEY

A request header that specifiescustom information to include in audit logsgenerated by Cloud Audit Logs.

Valid ValuesA string of characters (1,200 maximum).
Examples

X-Goog-Custom-Audit-User: user ID test 1

X-Goog-Custom-Audit-Job: test-job-id-here

X-Goog-Custom-Audit-Justification: Removed customer identity record at customer request

DetailsThe X-Goog-Custom-Audit-KEY header can be used in any JSON API request. TheKEY is a custom string that can contain up to 64 characters, including thex-goog-custom-audit- prefix. TheVALUE is a custom string that can contain up to 1,200 characters.

X-Goog-Encryption-Algorithm

A request and response header that specifies the encryption algorithm to use.

Valid ValuesAES256
ExampleX-Goog-Encryption-Algorithm: AES256
DetailsThis request and response header is used when you providecustomer-supplied encryption keys. When used specifically in a rewrite operation, this header applies to the destination object.

X-Goog-Encryption-Key

A request header that specifies an encryption key.

Valid ValuesAnRFC 4648 Base64-encoded string of a valid AES-256 encryption key
ExampleX-Goog-Encryption-Key: NwbyGGmcKAX4FxGpOERG2Ap33m5NVOgmXznSGTEvG0I=
DetailsThis request header is used when you providecustomer-supplied encryption keys. When used specifically in a rewrite operation, this header applies to the destination object.

X-Goog-Encryption-Key-Sha256

A request and response header that specifies the SHA256 hash of the encryption key.

Valid ValuesAnRFC 4648 Base64-encoded string of a valid SHA256 hash for an encryption key
ExampleX-Goog-Encryption-Key-Sha256: +eBzkZBt1Mj2CZx69L3c8yXoZB6DtRLlSvXMJB9JGIQ=
DetailsThis request header is used when you providecustomer-supplied encryption keys. When used specifically in a rewrite operation, this header applies to the destination object.

X-Goog-Copy-Source-Encryption-Algorithm

A request and response header that specifies the encryption algorithm to use on the source object when performing a rewrite.

Valid ValuesAES256
ExampleX-Goog-Copy-Source-Encryption-Algorithm: AES256
DetailsThis request and response header is used in rewrite operations when you providecustomer-supplied encryption keys. This header applies to the source object used in the rewrite.

X-Goog-Copy-Source-Encryption-Key

A request header that specifies an encryption key to use to decrypt the source object when performing a rewrite.

Valid ValuesAnRFC 4648 Base64-encoded string of a valid AES-256 encryption key
ExampleX-Goog-Copy-Source-Encryption-Key: NwbyGGmcKAX4FxGpOERG2Ap33m5NVOgmXznSGTEvG0I=
DetailsThis request header is used in rewrite operations when you providecustomer-supplied encryption keys. This header applies to the source object in the rewrite.

X-Goog-Copy-Source-Encryption-Key-Sha256

A request and response header that specifies the SHA256 hash of the encryption key that is used to decrypt the source object when performing a rewrite.

Valid ValuesAnRFC 4648 Base64-encoded string of a valid SHA256 hash for an encryption key.
ExampleX-Goog-Copy-Source-Encryption-Key-Sha256: +eBzkZBt1Mj2CZx69L3c8yXoZB6DtRLlSvXMJB9JGIQ=
DetailsThis request header is in rewrite operations when you providecustomer-supplied encryption keys. This header applies to the source object in the rewrite.

X-Goog-Meta-KEY

A request header used to setcustom metadata in thefinal request of aresumableupload.

Valid ValuesAny valid header name and value, with a maximum combined size of 8 KiB.
ExampleX-Goog-Meta-foo: bar
Details TheX-Goog-Meta- header is an optional header in the final request of a resumable upload. TheKEY and the header's value are added to the custom metadata of the uploaded object. Any custom metadata set in theinitial request that uses the sameKEY string is overwritten using the value provided in theX-Goog-Meta- header. Keys specified using theX-Goog-Meta- header are always added to the object's metadata using lowercase characters because HTTP headers are case-insensitive.

X-Goog-Stored-Content-Encoding

A response header that indicates the content encoding value stored as part oftheobject's metadata. This value is independent of anytranscodingthat might be performed by the server during individual requests for the object.

Valid ValuesThe content-encoding specified in the stored object's metadata oridentity.
ExampleX-Goog-Stored-Content-Encoding: gzip
DetailsIf the object has no stored metadata value forcontent-encoding, then the value of this header isidentity.

X-Goog-Stored-Content-Length

A response header that indicates the content length (in bytes) of the object asstored in Cloud Storage, independent of any server-driven negotiation thatmight occur for individual requests for the object.

Valid ValuesAny byte value of zero or greater.
ExampleX-Goog-Stored-Content-Length: 350
DetailsNone

X-Goog-User-Project

A request header that specifies a user project to bill for access charges associated with the request.

Valid ValuesTheProject ID for an existing Google Cloud project
ExampleX-Goog-User-Project: my-project
Details

The project specified in the header is billed for charges associated with the request. This header is used, for example, when making requests to buckets that haveRequester Pays enabled.

Generally, JSON requests that require a project ID should supply one in the request URL with theuserProject parameter instead of with theX-Goog-User-Project header.

X-GUploader-UploadID

A response header returned for Cloud Storage requests.

Valid ValuesA string of characters.
ExampleX-GUploader-UploadID: ADPycdvYczN-TgGGp1mvqlCLVKg2m0Cp9niWTV2kc8MLJG6W6Xw7aPMYj1YU8Pxskb5C9lUM8hVEtBG6DubMif3xhXkgTpfhpg
DetailsThe X-GUploader-UploadID header is a unique identifier provided in Cloud Storage responses. This value can be helpful when troubleshooting with Google Cloud support.

X-HTTP-Method-Override

An alternative notation for sending PATCH commands.

Valid ValuesPATCH
ExampleX-HTTP-Method-Override: PATCH
DetailsThe X-HTTP-Method-Override header can be sent with a POST command in order to make the command behave as a PATCH command. This is useful when your firewall does not allow explicit PATCH commands to be sent.

X-Upload-Content-Length

A request header used in resumable uploads.

Valid ValuesAny value of 0 or greater.
ExampleX-Upload-Content-Length: 2000000
DetailsThe X-Upload-Content-Length header is used in the initial request of aresumable upload. It specifies the total size in bytes of the object to be uploaded. If the length is unknown at the time of the request, the header can be omitted.

X-Upload-Content-Type

A request header used in resumable uploads.

Valid ValuesAny valid MIME type (see thespecification).
ExampleX-Upload-Content-Type: image/jpeg
DetailsThe X-Upload-Content-Type header is used in the initial request of aresumable upload. It specifies the MIME media type of the data that will be transferred in the resumable upload. If a MIME type is not specified in metadata or through this header, the object is served asapplication/octet-stream.

Standard Query Parameters

Query string parameters that can be used in any JSON API request are shown inthe table below. Note that not all parameters apply to all requests. Forexample, use of thefields parameter has no effect onDelete requests, sincethe response body is empty. Seespecific methods for additional querystring parameters.

In the examples of query parameters described in this section, the URIs are notshown but are assumed to be relative tohttps://storage.googleapis.com/storage/v1/PATH_TO_RESOURCE,with the exception of object uploads and batched requests. For more informationabout the URIs you should use when making requests to the JSON API, seeRequest endpoints.

All parameters are optional except where noted.

ParameterMeaningNotes
alt

Data format for the response.

  • Valid values:json,media
  • Default value:json
callbackCallback function.
  • Name of the JavaScript callback function that handles the response.
  • Used in JavaScriptJSON-P requests.
fieldsSelector specifying a subset of fields to include in the response.
  • For more information, see thepartial response documentation.
  • Use for better performance.
prettyPrint

Returns response with indentations and line breaks.

  • Returns the response in a human-readable format iftrue.
  • Default value:true.
  • When this isfalse, it can reduce the response payload size, which might lead to better performance in some environments.
quotaUserIP address of the end user for whom the API call is being made.
  • Lets you enforce per-user quotas from a server-side application even in cases when the user's IP address is unknown. This can occur, for example, with applications that run cron jobs on App Engine on a user's behalf.
  • You can choose any arbitrary string that uniquely identifies a user, but it is limited to 40 characters.
  • Learn more aboutCapping API usage.
userProjectThe project to be billed for the request.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.