Grant Time-Limited Access to Files

Overview

This guide shows how to grant access to an encrypted container for a limited period of time. Access is enforced cryptographically and automatically expires at the specified time without requiring manual revocation.

Time-bound access allows containers to be shared securely while ensuring that recipients can only decrypt the container during an authorized access window. Once the expiration time is reached, container decryption is cryptographically denied.

Expiration is enforced independently of storage location and does not require modifying or re-encrypting the container.

What You Will Build

In this guide, you will:

  1. Grant time-limited access to an encrypted container

  2. Configure an expiration time using container access policies

  3. Retrieve and decrypt the container as an authorized recipient before expiration

  4. Attempt to access the container after the expiration time

  5. Verify that container decryption is no longer permitted

Key Concepts

Time-Bound Access Policies

Time-bound access is configured using container DRM policies and applies to all external recipients of the container. Access enforcement is evaluated at the time of decryption.

This ensures:

  • Access for all recipients automatically expires at the defined time

  • No manual cleanup or revocation is required

  • Recipients cannot decrypt the container after the expiration time

Container contents remain immutable.

Time-bound access applies to the container access policy and affects all recipients governed by that policy.

Common Use Cases

Time-limited access is commonly used for:

  • Temporary contractor access

  • Expiring download links

  • Regulatory audit windows

  • Vendor access during defined project periods

  • Controlled sharing of sensitive enterprise data

Architecture Flow

Container Owner

    │ Grant access with expiration

Authorized Recipient

    │ Decrypt container (before expiration)

Encrypted Container (.tera)

    │ Access expires automatically

Decryption denied

Prerequisites

Base URL:

https://share.locktera.com/api/v1

Authentication header:

Authorization: Bearer YOUR_API_KEY

Step 1 — Grant Time-Limited Access

Grant access to a recipient with an expiration timestamp.

Request

curl -X PATCH $BASE_URL/users/{user_id}/containers/{container_id}/drm \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "container": {
      "recipients": [
        "authorized.recipient@company.com"
      ],
      "drm": {
        "time": {
          "start": "2025-03-01T00:00:00Z",
          "end": "2026-03-01T00:00:00Z"
        }
      }
    }
  }'

The recipient may decrypt the container until the expiration time.

Step 2 — Retrieve Container Before Expiration

The authorized recipient retrieves and decrypts the container.

Request

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/decode?viewer=authorized.recipient@company.com \
  -H "Authorization: Bearer YOUR_API_KEY"

Response (Authorized)

{
  "org_id": "YOUR_USER_ID",
  "container": {
    "uuid": "123e4567-e89b-12d3-a456-426614174000",
    "files": [
      {
        "name": "example_file.pdf"
      }
    ]
  }
}

Access is permitted because the expiration time has not been reached.

Step 3 — Attempt Access After Expiration

After the expiration time, the recipient attempts to retrieve the container.

Request

curl -X GET $BASE_URL/users/{user_id}/containers/{container_id}/decode?viewer=authorized.recipient@company.com \
  -H "Authorization: Bearer YOUR_API_KEY"

Response (Access Expired)

{
  "error": "access_expired",
  "message": "Access to this container has expired."
}

Container decryption is cryptographically denied.

Security Properties

Time-bound access ensures:

  • Access expires automatically at the defined time

  • Recipients cannot decrypt containers past defined expiration time

  • No manual revocation is required

  • Container contents remain immutable

  • Access enforcement is cryptographically enforced

  • Enforcement is independent of storage location

  • All access attempts are audit logged

Relationship to Revocation

Time-bound expiration complements manual revocation.

Access may be removed by:

  • Automatic expiration using time

  • Selective recipient revocation using /drm

  • Full container revocation using /block

All methods prevent future container decryption.

Summary

Locktera allows access to encrypted containers to be granted for a defined period of time. Access automatically expires at the configured expiration time without requiring manual intervention. This enables secure temporary sharing while maintaining persistent cryptographic control over access.