HTTPS Access to Collections

Globus Connect Server version 5.3 has been deprecated. Please install version 5.4. If you need to upgrade an existing Globus Connect Server version 5.3, please read the Migration Guide and use the v5.3 migration tool.

1. Overview

Globus Connect Server version 5 includes support for basic HTTPS access to Globus collections. This includes download and upload of files only, and may be used either programmatically, or linked to or downloaded from a web application. This guide describes how to access data on a Globus collection via HTTPS.

2. Determining the Collection HTTPS Base URL

Information about Globus Connect Server version 5 collections are available using the Globus Transfer API. Among this information is the base URL which can be used to access collection data.

To determine this information, look for the https_server property in the collection’s Endpoint document.

2.1. From the command-line:

% globus endpoint show 60a0c6af-3f73-453c-afbe-c8504fc428b6 \
    --jq 'https_server' -F unix

2.2. Using the python sdk:

from globus_sdk import TransferClient, AccessTokenAuthorizer


transfer_client = TransferClient(

endpoint_id = '60a0c6af-3f73-453c-afbe-c8504fc428b6'
endpoint = transfer_client.get_endpoint(endpoint_id)

https_server = endpoint['https_server']

2.3. Using the web app

Visit the collection in the file browser, select a file, then click on "Get Link" on the right panel.

3. Authorization

3.1. Guest Collections

Guest collections allow user-specified Access Control Lists, which may include either any Globus Auth identity, a specific Globus Auth identity, Globus Groups identity, or be completely public with no authorization. If the collection requires an authenticated identity, your application must obtain an appropriate access token and present that to the HTTPS service.

Note that Guest Collection administrators may create ACLs for the identity of an application based on its Globus Auth client_id (by allowing access to If such an ACL is present, the application may use an OAuth client_credentials grant to obtain an access token to interact with the https service.

3.2. Mapped Collections

Mapped collections always require a Globus Auth identity to access the service. Mapped collections require a high assurance storage gateway.

A system administrator may create a mapping from an application to a local account in the gridmap file. If this is the case, the application may use an OAuth client_credentials grant to obtain an access token to interact with the https service.

4. Access Tokens for HTTPS

If the collection requires a Globus Auth identity to access the endpoint, your application must present an access token using the "Authorization" HTTP header.

4.1. Required scope

The scope required to access the endpoint is based on the collection ID used in transfer, using this format:

For the example collection above:

5. Accessing Data

5.1. Supported HTTP Methods

The HTTPS server supports the OPTIONS, HEAD GET, PUT, and DELETE, provided the client identity is authorized for that operation on the particular path.

Note that the HTTPS service does not support directory listings.

5.2. Programmatic Access

When accessing the resource programmatically, include the X-Requested-With header to avoid being redirected to when the token does not grant access to the requested resource.

Example X-Requested-With Header
X-Requested-With: XMLHttpRequest

5.3. Request a Browser Download

By default, the HTTPS service includes the Content-Disposition header set to inline so that the data is loaded directly in to the browser and can be viewed. To request the data be downloaded by the browser, append the query parameter download when requesting the object. This changes the service response to include a Content-Disposition header set to attachment with a suggested filename.