# Retrieving Files & Recordings

Customer conversations can include both file attachments and recordings, depending on the channels that you use. With our files API, you can request and download all these files for storage or GDPR compliance.

## How to retrieve attachments and call recordings

If a customer conversation has any file attachments, you can find links to them when requesting [the message endpoint of our Dixa API](https://docs.dixa.io/openapi/dixa-api/v1/tag/Messages/#tag/Messages/operation/getConversationsConversationidMessages) under `attributes`.

The webhook event `CONVERSATION_MESSAGE_ADDED` also contains links to the file attachments.

There are three different types of links:

1. `https://files.dixa.io/private/...`
2. `/private/...`
3. `/public/...`


For the first case, the URL can be left as it is.

For the 2nd and third type of path, you need to add the domain and protocol as a prefix (`https://files.dixa.io`), so the URL becomes `https://files.dixa.io/private/...`

If you follow the link to the respective file, you are redirected to our files API.

### Bulk attachments/call recordings

If you need call recordings or attachments in bulk, take a look at our [Message Export API](https://docs.dixa.io/docs/exports-api-guide/), which contains the links to the call recordings and also includes attachments.

Authentication to the files works the same way for both recordings and attachments, and is as described below.

## Authorization

Dixa decides whether or not a file should be `public` rather than `private`. For example, a file uploaded by a customer using the Dixa Messenger widget will be `public` as the file needs to be shown to your customer. A file uploaded in an internal note will be `private`.

For security, you'll need to authenticate your request with an authorization header if the path includes "private". For "public" attachments, no authentication is required.

For "private" file authentication, use a Dixa API token as a [Basic authorization header.](https://en.wikipedia.org/wiki/Basic_access_authentication) Use `bearer` as username, and your API token as password. Don't forget to base64-encode the username and password.

Example header (replace `yourapitoken` with an API token):
`Authorization: Basic base64(bearer:yourapitoken)` which would result in `Authorization: Basic YmVhcmVyOnlvdXJhcGl0b2tlbg==`

Using this authorization header, you can make a GET request to the attachment or recording URL and you should get the requested file.

### Example request


```bash
curl -X GET "https://files.dixa.io/private/....." \
 -H "Authorization: Basic YmVhcmVyOnlvdXJhcGl0b2tlbg=="
```