# Filebrowser HTTP API & AI Skill: Complete reference for JWT auth, file CRUD, and folder management. > Source: > Published: 2026-05-23 17:59:58+00:00 This skill provides a standardized way for any AI model to manage files and folders on a Filebrowser server by making direct HTTP calls. Filebrowser uses a "hidden" API with JWT authentication. - Official Repository: filebrowser/filebrowser - Host: The Filebrowser URL (e.g., https://filebrowser.example.com ) - Username: Default is "" (empty string) - Password: Default is "" (empty string) All operations (except login) require the X-Auth: [JWT_TOKEN] header. Tokens expire in 2 hours. curl -X POST "https://[HOST]/api/login" \ -H "Content-Type: application/json" \ -d '{"username":"[USERNAME]","password":"[PASSWORD]","recaptcha":""}' Output: Returns the raw JWT token string directly in the response body. Endpoint: GET /api/resources/[PATH] Example: curl -X GET "https://[HOST]/api/resources/disk1" -H "X-Auth: [JWT_TOKEN]" Presentation: Parse the JSON items array and display as a clean table (Name, Size, Type, Modified). Endpoint: PATCH /api/resources/[SOURCE_ENCODED]?action=rename&destination=[DEST_ENCODED]&override=false&rename=false - Source ([SOURCE_ENCODED]): Path relative to root. Special characters MUST be percent-encoded, but slashes ( / ) MUST NOT be encoded. - Destination ([DEST_ENCODED]): MUST be fully percent-encoded (including slashes). Example: Move disk2/downloads/test 1/ to disk2/test 1/ curl -X PATCH "https://[HOST]/api/resources/disk2/downloads/test%201/?action=rename&destination=%2Fdisk2%2Ftest%25201&override=false&rename=false" -H "X-Auth: [JWT_TOKEN]" Endpoint: POST /api/resources/[PATH]/[NAME]/?override=false Rule: The path MUST end with a trailing slash (/ ). Example: curl -X POST "https://[HOST]/api/resources/disk2/newfolder/?override=false" -H "X-Auth: [JWT_TOKEN]" Endpoint: POST /api/resources/[PATH]/[NAME]?override=false Rule: The path MUST NOT end with a trailing slash. Example: curl -X POST "https://[HOST]/api/resources/disk2/newfile.txt?override=false" -H "X-Auth: [JWT_TOKEN]" Endpoint: DELETE /api/resources/[PATH] Example: curl -X DELETE "https://[HOST]/api/resources/disk2/oldfile.txt" -H "X-Auth: [JWT_TOKEN]" Endpoint: GET /api/resources/[PATH] Output: Returns JSON. The file content is in the content field. Example: curl -X GET "https://[HOST]/api/resources/disk2/notes.txt" -H "X-Auth: [JWT_TOKEN]" Endpoint: PUT /api/resources/[PATH] Example: curl -X PUT "https://[HOST]/api/resources/disk2/notes.txt" \ -H "X-Auth: [JWT_TOKEN]" \ -H "Content-Type: text/plain" \ --data "New file content goes here" Mandatory for destination parameters and paths with special characters. - JSON Handling: Always parse API responses. If an error occurs, report the HTTP status code and any error message in the JSON body. - Path Safety: Before ? in URLs, do not encode slashes. Inside query parameters likedestination , always encode slashes as%2F . - Implicit Auth: If a token is available from a previous turn, reuse it. If a request fails with 401 or 403, attempt to re-login. - Interactive Formatting: Present directory listings as Markdown tables for readability.