I have just started reading your docs on security and policy generation after realising that files could easily be deleted with the API key and a DELETE request. Your security implementation seems to be the answer to protecting our users files (images in this case) and rendering the API key useless for file writes.
However, before I implement security, I have some questions:

I want all images to be publicly accessible, i.e. policy ?call=read.
Is there a way to setup a default read-only policy so that files are publicly accessible without having to generate a policy for every url? (or am I misunderstanding)

I would ideally like to serve images with an url of https://www.filepicker.io/api/file/[handle] and write/remove images by generating the policy for authenticated users (and for API calls on the backend).

EDIT: Unfortunately Liyan’s answer is not optimal for me as I could have 100’s of images each requiring hard-coded query strings to be appended after being loaded from the db. The solution from my perspective is to have a checkbox (for now and a default policy editor later) in the developer portal which would allow you to set read only access for ‘default’ urls. Is that (or something similar) something the filepicker.io guys/gals would consider adding? Otherwise the extra maintenance and complexity of having url processing between my db and views is a bit of a nightmare.

EDIT: Well Filepicker.io have shown once again what a great service they offer! Big thank you to Liyan and the rest of the team for those changes. I will recommend you guys to whoever I can 🙂