OptStuff

FAQ

Frequently asked questions about OptStuff — pricing, CDN usage, migration, team management, and troubleshooting.

General

What is OptStuff?

OptStuff is a secure image optimization API that resizes, compresses, and converts images on-the-fly via URL parameters. See What is OptStuff? for a full overview.

What image formats are supported?

Input: JPEG, PNG, WebP, AVIF, GIF Output: JPEG, PNG, WebP, AVIF

See Image Operations for the complete reference.

Is OptStuff open source?

Yes. The source code is available on GitHub.

Cost & Rate Limits

How much does it cost to run OptStuff?

OptStuff runs on serverless infrastructure (Vercel, Neon, Upstash, Clerk). You can start at $0/month using free tiers. At scale, the marginal cost is approximately $0.03 per 1,000 requests. See Cost Analysis & Pricing Strategy for a full breakdown.

What are the default rate limits?

Default per-key limits are 60/min and 10,000/day. The data model supports per-key values, but dashboard UI controls for custom tuning are not available yet. See Rate Limiting.

Can I increase rate limits?

Yes, by updating the api_key table directly. Dashboard UI for per-key rate limit tuning is planned for a future release. See Rate Limiting for details.

Integration

Can I use OptStuff with a CDN?

Yes, and it's recommended. OptStuff returns Cache-Control: public, s-maxage=31536000, immutable headers, making it compatible with any CDN. See the CDN and Caching guide for setup instructions with Cloudflare, Vercel, and CloudFront.

Does OptStuff work with frameworks other than Next.js?

Yes. OptStuff is a standard HTTP API — any server-side language that can compute HMAC-SHA256 can generate signed URLs. See Code Examples for implementations in Node.js, Python, Go, Ruby, and PHP.

Can I use OptStuff from the browser?

URL signing must happen server-side because it requires the secret key. The signed URL itself can be used in <img> tags, CSS background-image, or any client-side context. See the Next.js Integration guide for the recommended pattern.

How do I migrate from Cloudinary / Imgix / another service?

  1. Create an OptStuff project and API key
  2. Add your image source domains in project Settings → Domain Security → Image Sources
  3. Replace your existing image URL generation with OptStuff's signing utility
  4. Update your CDN origin to point to your OptStuff deployment

The URL structure is different, so you'll need to update your image components. See the Quick Start for the basic integration pattern.

Security

Is my secret key stored securely?

Yes. Secret keys are encrypted with AES-256-GCM before storage. The encryption master key is derived via HKDF (RFC 5869) and stored separately from the database. See Security Best Practices.

What if I lose my secret key?

The secret key is only shown once at creation or rotation. If you've lost it, rotate the key from the dashboard to generate a new pair. The old key is immediately revoked. See Key Management.

Can someone forge requests if they see a signed URL?

No. A signed URL proves the request was authorized, but it cannot be used to derive the secret key or forge new URLs with different parameters. Each URL is bound to its specific operations, image source, and optional expiration.

Teams and Projects

Can multiple people manage the same project?

Currently, only the team owner can manage resources (projects, API keys, settings). Team collaboration features are on the roadmap.

Can I have multiple projects in one team?

Yes. Each team can have unlimited projects, and each project can have unlimited API keys. This lets you isolate different applications or environments.

Can I transfer a project to another team?

Project transfers are not currently supported. You can create a new project in the target team and generate new API keys.

Troubleshooting

I'm getting 403 Invalid or expired signature

This is the most common error. Check these causes in order:

  1. Wrong key — Make sure you're signing with the secret key (sk_...), not the public key
  2. Wrong path order — Operations must come before the image URL: w_800,f_webp/cdn.example.com/photo.jpg
  3. Wrong encoding — Use base64url, not standard base64
  4. Expired signature — If using exp, ensure the timestamp is in Unix seconds (not milliseconds)

See Troubleshooting Signature Errors for the full checklist.

I'm getting 403 Source domain not allowed

The image source domain is not in the project's allowed source domains list. Add it in Dashboard → Project → Settings → Domain Security → Image Sources. See Domain Whitelisting.

I'm getting 429 Too Many Requests

You've exceeded per-minute or per-day rate limits for this API key. Check the Retry-After header in the response and wait before retrying. See Rate Limiting for behavior details and current configuration options.

Images are not being cached by my CDN

Verify that:

  1. Your CDN is configured to respect Cache-Control headers
  2. Query strings (key, sig, exp) are included in the cache key
  3. The CDN is not stripping or overriding cache headers

See CDN and Caching for CDN-specific configuration.

Last updated on

SSRF Prevention

How our image proxy architecture prevents Server-Side Request Forgery (SSRF) — the design flaw, the attack vector, and the fix.

On this page

GeneralWhat is OptStuff?What image formats are supported?Is OptStuff open source?Cost & Rate LimitsHow much does it cost to run OptStuff?What are the default rate limits?Can I increase rate limits?IntegrationCan I use OptStuff with a CDN?Does OptStuff work with frameworks other than Next.js?Can I use OptStuff from the browser?How do I migrate from Cloudinary / Imgix / another service?SecurityIs my secret key stored securely?What if I lose my secret key?Can someone forge requests if they see a signed URL?Teams and ProjectsCan multiple people manage the same project?Can I have multiple projects in one team?Can I transfer a project to another team?TroubleshootingI'm getting 403 Invalid or expired signatureI'm getting 403 Source domain not allowedI'm getting 429 Too Many RequestsImages are not being cached by my CDN