Summary
linear issue view appears unable to access private uploads.linear.app links embedded in comment markdown when using a personal API key.
The CLI already has download logic for Linear uploads, but in practice comment-embedded private upload links still fail with 401 Unauthorized in this setup.
This looks like either:
- a bug in how the CLI handles private upload authentication,
- a mismatch between documented and actual auth behavior for private file storage, or
- a missing fallback path for comment markdown links that point to private uploads.
Environment
- linear-cli version:
2.0.0
- auth mode: personal API key via
linear auth token
- workspace: private workspace
- reproduced on macOS / local OpenClaw environment
What I expected
Given the current CLI behavior and docs/changelog, I expected linear issue view to successfully download or otherwise resolve private uploads.linear.app links referenced in issue comments.
What actually happened
- The CLI can fetch the issue and comment body successfully.
- The comment body contains a private
https://uploads.linear.app/... link.
- Downloading that file still fails with
401 Unauthorized.
- This also fails when tested manually outside the CLI with the same token.
Reproduction
1. Create or find an issue comment containing a private upload link
For example, a comment body like:
[Income Expense Details Apr 2026.csv](https://uploads.linear.app/<org>/<...>/<file>)
2. Confirm the CLI can read the comment body
linear api '{ issue(id: "LIL-302") { comments(first: 10) { nodes { body } } } }'This succeeds and returns the comment body containing the uploads.linear.app URL.
3. Try viewing the issue normally
linear issue view LIL-302 --no-pager
Expected: private upload links are downloaded/resolved as described by the existing attachment/image download support.
Actual: the issue renders, but the private upload link is not made accessible in a usable way.
4. Try fetching the same upload URL directly with the personal API key
Using the token returned by:
GraphQL authentication works with:
curl https://api.linear.app/graphql \
-H "Content-Type: application/json" \
-H "Authorization: <API_KEY>" \
--data '{"query":"{ viewer { id } }"}'But the file URL returns 401:
curl "https://uploads.linear.app/..." \
-H "Authorization: <API_KEY>"
I also tested:
curl "https://uploads.linear.app/..." \
-H "Authorization: Bearer <API_KEY>"
That also returned 401 Unauthorized.
Relevant docs
These docs seem relevant, but together they leave the behavior a bit ambiguous:
GraphQL auth docs
Personal API keys are documented as:
And the docs also say that images/assets uploaded into Linear accept regular API authentication, including API keys.
Source:
File storage auth docs
Private uploaded files are documented with:
Authorization: Bearer <ACCESS_TOKEN>
And also mention the public-file-urls-expire-in header for signed URLs.
Source:
Why I think this is worth reporting
The CLI changelog strongly suggests attachment/image download support should work:
- file attachment support for issues/comments
- automatic attachment download in
issue view
- downloads for authenticated
uploads.linear.app URLs
But for comment markdown links pointing at private uploads, the current behavior still appears broken or at least incomplete.
Questions
- Are private
uploads.linear.app links supposed to be accessible with a personal API key, or only with OAuth access tokens?
- If personal API keys should work, is the CLI missing a required auth/header/signing flow here?
- If direct private upload links are not guaranteed to work, should the CLI request signed URLs instead when rendering comments/issues?
- Should
issue view surface a clearer warning when comment-embedded private upload links cannot be fetched?
Notes
I noticed the current source used raw Authorization: <token> for upload downloads in issue-view.ts, which does not match the file storage docs example. I tested a local patch adding Bearer, but it still did not resolve the 401, so I suspect there may be a deeper auth or signed-URL issue beyond just that header mismatch.
Summary
linear issue viewappears unable to access privateuploads.linear.applinks embedded in comment markdown when using a personal API key.The CLI already has download logic for Linear uploads, but in practice comment-embedded private upload links still fail with
401 Unauthorizedin this setup.This looks like either:
Environment
2.0.0linear auth tokenWhat I expected
Given the current CLI behavior and docs/changelog, I expected
linear issue viewto successfully download or otherwise resolve privateuploads.linear.applinks referenced in issue comments.What actually happened
https://uploads.linear.app/...link.401 Unauthorized.Reproduction
1. Create or find an issue comment containing a private upload link
For example, a comment body like:
2. Confirm the CLI can read the comment body
linear api '{ issue(id: "LIL-302") { comments(first: 10) { nodes { body } } } }'This succeeds and returns the comment body containing the
uploads.linear.appURL.3. Try viewing the issue normally
Expected: private upload links are downloaded/resolved as described by the existing attachment/image download support.
Actual: the issue renders, but the private upload link is not made accessible in a usable way.
4. Try fetching the same upload URL directly with the personal API key
Using the token returned by:
GraphQL authentication works with:
But the file URL returns
401:I also tested:
That also returned
401 Unauthorized.Relevant docs
These docs seem relevant, but together they leave the behavior a bit ambiguous:
GraphQL auth docs
Personal API keys are documented as:
And the docs also say that images/assets uploaded into Linear accept regular API authentication, including API keys.
Source:
File storage auth docs
Private uploaded files are documented with:
And also mention the
public-file-urls-expire-inheader for signed URLs.Source:
Why I think this is worth reporting
The CLI changelog strongly suggests attachment/image download support should work:
issue viewuploads.linear.appURLsBut for comment markdown links pointing at private uploads, the current behavior still appears broken or at least incomplete.
Questions
uploads.linear.applinks supposed to be accessible with a personal API key, or only with OAuth access tokens?issue viewsurface a clearer warning when comment-embedded private upload links cannot be fetched?Notes
I noticed the current source used raw
Authorization: <token>for upload downloads inissue-view.ts, which does not match the file storage docs example. I tested a local patch addingBearer, but it still did not resolve the401, so I suspect there may be a deeper auth or signed-URL issue beyond just that header mismatch.