How can I make sure that an image is actually from my correct user?

In short: use Signature Authentication.

If you run a website and are in control of its server-side code, you can safely store your Transloadit Auth Secret there. Your visitors will be logged in with your server. Let's say they want upload something. Your server now generates a secret, knowing it is for a particular logged in user. The server can tag the upload and generate a signature of all these parameters using the secret only it and Transloadit know.

When the files arrive on our end, we will also create a signature of the parameters using the same secret. If the signatures don't match - and you have enabled the option in your account that signatures are required - we will reject the upload.

This way you can be sure that:

  1. Uploads only work for users who are logged in
  2. Uploads are tagged with user information that cannot be forged by the users themselves, as they don't have the secret to forge the correct signature for those parameters.

See also:

How do I limit an sFTP user to one directory? Will there ever be an encoding queue? How do I set up with DigitalOcean Spaces?