Share folder with external collaborators

Last updated: May 19, 2026

Share folder with external collaborators

POST /api/v1/creative-hub/share/:fileId (verified apps/backend/src/routes/api/creative-hub-sharing.route.ts). Wevion uses the Google Drive permissions API with role='writer' (read + edit) + type='user' (individual email). Shared emails stored in app_settings. Granted user receives a Drive notification + can open the file directly in Drive UI. Permission survives until explicitly revoked.

Who is this for

Anyone collaborating with external parties (client reviewers, agency partners, freelancers) who need to access ad creatives without a Wevion account.

How it works

Wevion's Creative Hub stores files on Google Drive via a Service Account. The Service Account technically owns the file. To grant external access, Wevion calls Drive's permissions API to add the external email as a writer on the file.

After sharing:

  • The external user receives a Drive notification email

  • They can open the file directly in Drive (no Wevion account needed)

  • They can preview, download, and edit (writer permission)

  • The share persists in Drive until explicitly removed

How to share

Step 1: Pick the file or folder

Right-click on file/folder → Share OR action menu → Share.

Step 2: Enter email

Modal opens with email input. Enter the collaborator's email (Gmail or any address — Drive handles non-Gmail by sending invitation).

Step 3: Confirm

Click Share. POST /api/v1/creative-hub/share/:fileId runs. Backend:

  1. Calls Drive permissions API with {role: 'writer', type: 'user', emailAddress: ...}

  2. Records email in app_settings (shared emails list)

  3. Writes audit log entry action: creative_share

The collaborator receives Drive's notification email.

Step 4: Confirm in UI

Modal closes; file shows "Shared" badge in grid. The shared emails list is visible in the file's detail view.

What the collaborator sees

  • Drive notification email: "{Wevion-Workspace-Service-Account-Email} shared a file with you"

  • Click link → opens file in Drive

  • Can preview / download / edit

  • Cannot see other Wevion files in your hub (only the specific shared file/folder)

Revoking a share

In the file's detail view → Shared with → click ✕ next to the email → confirm.

Backend calls Drive permissions API to remove the permission. The collaborator loses access immediately (next time they try to open the file, Drive returns 403).

Sharing scope

You share

Collaborator can access

Single file

Just that file

Folder

The folder + everything inside (Drive default cascade)

Subfolder

That subfolder + everything inside

Drive's permission cascade applies. To share a subset: share each file individually instead of a parent folder.

Limits

  • Number of shares per file: Drive enforces limits (typically thousands but watch quota in /settings → Integrations → Google Drive)

  • Sharing with non-Gmail: works — Drive sends invitation; collaborator creates Drive account or uses single sign-on

  • Share notification language: Drive's default (usually English; some locale support)

Audit log

Each share writes action: creative_share in audit_log with metadata:

  • file_id / folder_id

  • shared_with_email

  • granted_by_user_id

  • permission_role (writer)

Revokes write action: creative_unshare with same metadata + revoked_by_user_id.

Visible at /api/v1/audit-logs?resource_type=creative_share.

Compliance considerations

External sharing means data leaves your Wevion workspace boundary into Drive's permissions model. For sensitive content:

  • Review what you share carefully (client briefs, brand assets)

  • Periodically audit shares: /api/v1/audit-logs?action=creative_share to see active grants

  • Revoke promptly when engagement ends

For GDPR / data residency: shared files inherit Drive's data storage region (your workspace's Drive region). Collaborator's access is controlled by Wevion's revoke flow.

Common mistakes

  • Sharing a folder when you meant a file: cascades to all children. Pick the specific file.

  • Sharing without auditing: shares accumulate; periodic audit + cleanup prevents long-tail risk.

  • Sharing the workspace's brand-assets folder broadly: anyone with access can edit; use read-only (Drive reader role) — but Wevion's flow defaults to writer.

  • Sharing with typo email: Drive silently sends invitation to wrong address. Verify spelling.

  • Confusing Drive share with Wevion team-folder visibility: they're different layers. Drive share = external collaborator access via Drive UI. Wevion team folder = teammate visibility within Wevion UI (see ch-104).

Related