Problems with Direct Links, created by OCS API


we face a problem with public direct links, created via the OCS API.

Please help us.

Here is what we do

  1. We get a filelist like this: Basic APIs — Nextcloud latest Developer Manual latest documentation
PROPFIND remote.php/dav/files/user/path/to/folder
  1. with that we get a fileId, which we use to create a public direct link like this: OCS APIs overview — Nextcloud latest Developer Manual latest documentation
    POST /ocs/v2.php/apps/dav/api/v1/direct
    which gives us a nice proper public link, which works fine, when pasted into the browser address bar

Now here comes the issue

  1. We list those links as HTML links in our intranet.
  2. if we click on one link, a new tab opens and the file is shown or downloaded (depending on file type: pdf, md, odt)
  3. if we click a second time, we get a


  1. if we click any other listed file, the error shows immediately
  2. we figured out, that 4 cookies are set in the web storage and as long as one specific cookie exists, the link will fail. We tested that by just deleting the one cookie “ocppvjk1lhdq”

Additional Information

  • Nextcloud v 26.0.1
  • the Nextcloud server is in a docker container, behind træfik and fail2ban
    • we digged through the log files, and it seems to be no error on the PHP side, we are not sure though, if that plays a role here anyway
  • The problem is not Browser specific, happens in Chrome and Firefox alike
  • our Nextcloud enforces password in shared files, as well as expiration date
  • we tried the share link api: OCS Share API — Nextcloud latest Developer Manual latest documentation but can’t use this approach for usability reasons (namely passwords have to be shared)

You don’t get more information from the logs?

After it failed, you click on the link again, does it work again on the first click?


The log is empty except for the 503 error. Out of curiosity, and because I also have a Hetzner-hosted Nextcloud, I tried the same procedure there and obtained the same result.

After it failed, and I clicked the link again, the error appears immediately and for all other links as well.

I didn’t have the time to check it myself, if I can reproduce it. But if you can reproduce it with the Hetzner setup, it might be a bug. Do you see the same problems with links generated through the web-interface?

I do not see the same problems with links generated through the web-interface.

To test it by yourself is time consuming. Just in case you like to try it out sometime, here is the curl we use to generate the link

url='https://<your cloud>/ocs/v2.php/apps/dav/api/v1/direct'
user="a user"
pw="the users password"

curl -u $user:$pw \
-X POST $url \
-H "OCS-APIRequest: true" \
--data "fileId=<ID of the file>"

You will get something like this

The URL field holds the direct link. Create a simple HTML file with an “a-tag” and the direct link.

<a href="https://<cloud>/remote.php/direct/<directLink>
">Click here</a>

Open it inside a private browsing tab (so no cookies are set already). You can click that link ones (and it works), click it again and the issues appears.