Skip to main content

2026-03-21 - Important Security Update: Changes to Device Screenshot URLs

info

Effective Date: May 15, 2026

As part of our ongoing commitment to platform security and SOC 2 compliance, we are making a mandatory change to how device screenshot URLs are served through the signageOS API.

What is changing

The uri field returned by the screenshot endpoints will transition from permanent, publicly accessible URLs to time-limited pre-signed URLs with a guaranteed minimum validity of 8 hours.

Affected endpoints:

  • GET /v1/device/screenshot
  • GET /v1/device/{deviceUid}/screenshot

After this change, the existing endpoints will return pre-signed S3 URLs instead of direct S3 URLs. These pre-signed URLs are valid for at least 8 hours but cannot be stored permanently.

warning

Any screenshot URLs currently stored in your databases or caches will stop working on May 15, 2026. The previously permanent URLs will no longer resolve once the bucket is switched to private. You must update your integration to re-fetch URLs from the existing API endpoints when needed.

How to use the new URLs

No new endpoints are being introduced. The existing screenshot endpoints listed above will return pre-signed URLs instead of direct URLs.

If your integration currently stores screenshot URLs for later use, you should instead:

  1. Use the returned URL within its validity period — pre-signed URLs are valid for at least 8 hours
  2. Re-fetch from the API if the URL expires — call the same existing endpoints to obtain a fresh pre-signed URL
  3. Do not store URLs permanently — they are time-limited and will eventually expire

Why this change is mandatory

  • Strengthening security posture by eliminating publicly accessible storage buckets
  • Achieving SOC 2 compliance requirements for data access controls
  • Remediating a security vulnerability in the current unauthenticated access model

How to prepare

Review your integration code for any logic that stores or caches screenshot uri values permanently. Update those flows to re-fetch URLs from the existing API endpoints when the cached URL has expired or is close to expiring.

Timeline

MilestoneDate
Feedback & concerns deadlineApril 31, 2026
Change takes effectMay 15, 2026

We want your feedback

If this change impacts your workflow or you have concerns, please reach out to us before April 31, 2026 via support ticket. We want to ensure a smooth transition and are happy to assist with any migration questions.