What decides if a COS file is hidden or not? If uploaded to CRM


Is a file hidden based on user, or hidden based on how it is uploaded and "hidden" is a fixed attribute in the COS file's metadata?

I cannot view some files that were attached by notes with Zapier API tools, but some I can.

I see these metadata values. I think that some files are hidden in CRM and some are not. But how?

hidden: (false or true)
allows_anonymous_access: (false or true)


Hi @thecoolcoder,

Files that are uploaded in-app by attaching them to object records are hidden by default. Files uploaded in-app via the file manager are not hidden by default. Files uploaded vie the COS Files API with hidden: true are also hidden, whether or not they're attached to an object record.



It would be useful to API developers that have Oauth or API key level of trusted access to be able to view the files as not hidden seeing that if they are building and app, have API level of admin access, that if they target and such hidden file, that they should be able to indeed view and use it, such as to copy it to Google Drive. To me, it should be at least an option to be able to view it when API key is present in an app. There have been numerous inquiries by app builders that seem to be wanting this.

Can we get it? It seems so easy to deliver this ability to api developers.



Hi @thecoolcoder,

I understand the use case you're describing, but the hidden flag isn't related to a user/app's level of access. The hidden flag is intended to make assets viewable only when accessed from an object record (i.e. from an app.hubspot.com/file-preview URL).

I'm happy to pass this feedback along internally though; additionally, if you have the inclination, I would highly encourage you to check out the Ideas Forum on the HubSpot Community. There, you can create a post including your use case that product and other customers can see. This is the primary place that HubSpot is aggregating product feedback, so I'd strongly recommend posting this as an idea.



Thank you. Much appreciated. It just seems logical to grant total access to all that have the API key - in this case. I will post in Ideas. Keep doing what you do, it is a good thing!