As mentioned in comments here, the ideal situation would be that the API would return short lived signed URLs. This additional measure as part of defense in depth would mitigate the impact of inadvertent disclosure of a link as it would only be accessible for a short period of time. It would also harden it against a misconfigured S3 bucket that enabled directory listing.