MightyDocs
Browse docs

Scan File Uploads

Scan uploaded PDFs, images, and documents before storage, OCR, AI extraction, or workflow routing.

Goal

Put a scan step between user uploads and anything that trusts the file.

Use this for claim packets, invoices, receipts, estimates, signed forms, evidence photos, identity documents, and uploaded PDFs.

Architecture

  1. Receive the upload on your server.
  2. Send the file to Mighty as multipart form data.
  3. Store the scan result with the upload record.
  4. Route the workflow based on action.
  5. Send risky uploads to review before OCR, AI extraction, or automation.

Multipart Request And Response

curl -X POST https://gateway.trymighty.ai/v1/scan \
  -H "Authorization: Bearer $MIGHTY_API_KEY" \
  -F "file=@./invoice.pdf" \
  -F "content_type=auto" \
  -F "scan_phase=input" \
  -F "mode=secure" \
  -F "focus=steg" \
  -F "profile=balanced" \
  -F "data_sensitivity=tolerant" \
  -F "metadata[source]=upload"

Use content_type=auto if your server does not know the type. Use the known type when you do.

Use focus=steg as the mixed-upload default because the first job is to catch hidden instructions, prompt injection, content steering, unsafe text, and file extraction risk before storage, OCR, or AI extraction. Use Choose Scan Settings when you need a different path.

Each entry in threats is an object with category, confidence, an optional evidence excerpt, and a human-readable reason. Switch on action; use threats[].category for audit logs.

Known Image Or PDF Evidence

Use focus=all only after you know the file is image/PDF evidence and hidden content, authenticity, and edit evidence all matter.

curl -X POST https://gateway.trymighty.ai/v1/scan \
  -H "Authorization: Bearer $MIGHTY_API_KEY" \
  -F "file=@./damage-photo.jpg" \
  -F "content_type=image" \
  -F "scan_phase=input" \
  -F "mode=secure" \
  -F "focus=all" \
  -F "profile=strict" \
  -F "data_sensitivity=tolerant"

For image authenticity-only review, use focus=ai. For original-vs-submitted image comparison, use focus=edits with reference_file. See Damage Photo AI Fraud Review.

Node Helper

export async function scanUpload(file: File, workflowId: string) {
  const form = new FormData();
  form.append("file", file);
  form.append("content_type", "auto");
  form.append("scan_phase", "input");
  form.append("mode", "secure");
  form.append("focus", "steg");
  form.append("data_sensitivity", "tolerant");
  form.append("session_id", workflowId);

  const response = await fetch("https://gateway.trymighty.ai/v1/scan", {
    method: "POST",
    headers: {
      Authorization: `Bearer ${process.env.MIGHTY_API_KEY}`,
    },
    body: form,
  });

  if (!response.ok) {
    throw new Error(`Mighty upload scan failed with ${response.status}`);
  }

  return response.json();
}

Routing Logic

export function routeUpload(scan: { action: string }) {
  if (scan.action === "ALLOW") {
    return "store_and_process";
  }

  if (scan.action === "WARN") {
    return "store_quarantined_and_queue_review";
  }

  return "reject_or_quarantine";
}

Common Mistakes

  • Sending files from the browser directly to Mighty. Keep the API key on your server.
  • Running OCR first on high-risk files. Scan the file before the OCR or extraction step when possible.
  • Treating a WARN as a failed upload. It is often a review route.
  • Dropping scan_group_id. You need it when scanning extracted text or model output from the same file.

Production Checklist

  • Scan before permanent trust decisions.
  • Quarantine WARN and BLOCK uploads if your workflow stores them.
  • Store scan_id, scan_group_id, content_type_detected, action, and risk_score.
  • Add upload size limits before forwarding.
  • Handle 413 as a size or tier limit path.
  • Handle 402 as a billing or tier cap path.
  • Prefer async deep scan for large PDFs or high-value image evidence.
Next step

Ready to scan real traffic?

Create an API key, keep it on your server, then wire Mighty into the workflow that handles untrusted material.

Get an API keyHandle limits

AI-Agent Prompt

AI-ready prompt
Add file upload scanning

Paste this into Cursor, Codex, Claude Code, or Windsurf.

Add Mighty to the server-side file upload flow.

Requirements:
- Use multipart form data.
- Send the upload to POST https://gateway.trymighty.ai/v1/scan.
- Use content_type=auto unless the route knows image, pdf, or document.
- Use scan_phase=input, mode=secure, focus=steg, data_sensitivity=tolerant for mixed uploads. Use focus=all only for known image/PDF evidence that needs authenticity or edit review.
- Store the result with the upload record.
- Route ALLOW to normal storage and processing.
- Route WARN to quarantine plus human review.
- Route BLOCK to reject or quarantine.
- Preserve scan_group_id for later OCR output and model output scans.

Acceptance criteria:
- API key never reaches the browser.
- Tests cover ALLOW, WARN, BLOCK, 402, 413, and 429.
- Upload errors use safe fallback behavior.
Related docs

Keep going from here

Choose Scan SettingsPick mixed-upload settings.Scan Text And OCR OutputScan extracted text next.Error HandlingHandle limits and failures.Billing And LimitsPlan for file size and SCU.