Client-side content arbitration with Scanii

With Scanii you can process files directly from your client browser without having to submit potentially malicious/unwanted content to your servers.

This works by utilizing a feature of Scanii called  authentication tokens, with which you can create one-time API credentials that you can use to submit content directly, and safely, from your users’ browsers using javascript.

Here’s how the logic works in a nutshell:

  1. A conventional file upload HTML form is sent to the browser
  2. A small amount of javascript is used to intercept the submit event of the form and then: 
    1. Create a one-time authentication token using Scanii’s Auth Token API
    2. Use that one-time API authentication token to submit the file to Scanii for processing/identification using our File API
    3. Based upon our File API response we will either submit the form to the server (including the identifier of the File API) or notify the user of the content findings.
  3. Back on the server side, we now validate that the content was indeed properly processed by looking up the processing result via the result identifier. If everything checks out, the file is good to be stored or the server.

Here’s what all that magic look like:

So, when should you use client side content processing?

That is an excellent question to which there isn’t really a one-size-fits-all answer, it ultimately depends on your requirements. If you would like to do as much work as possible on the client-side browser, this feature is for you.

The pros and cons of making content decisions client side

  • Pros 
    • Malicious/unwanted files are identified before being sent to your servers.
    • Integrates nicely with single page apps (SPA) using React or Angular.
  • Cons 
    • From a client browser perspective, content is submitted twice, once to Scanii for processing and again to your service for storage.
    • Slightly more complex integration involving both browser and server coordination work.

How do you get around the browser same-origin policy?

Good question, all of our globally distributed API endpoints support CORS.

Sample source code

The source code for the above sample application is available in Github here: and licensed under an open source license - Apache 2.0.

Still have questions? Reach out to our support at

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us