I believe using a token IS the best practice. If you can setup a common 3rd party server to handle the key verification that would probably be a good starting point and I've included a basic setup for this below.
Simple Version:Basic Keystore server (redis is more than capable).
Have both the app server and storage server able to authenticate to the redis store.
When a user needs to upload, have the app create a one-time (GUID) key in the redis store. When you submit the upload include this key in the header.
When receiving the storage request the storage server should pull the key out of the header and verify it exits in the redis store and then clear the key.
You could add any additional data you wanted to in that request as well such as the username, but the key is going to be your authoritative decider.
