diff --git a/README.md b/README.md
index 6966162..2f0c715 100644
--- a/README.md
+++ b/README.md
@@ -16,15 +16,22 @@ ADA is a client that talks to the [dCache storage system](https://dcache.org/) [
 * Work with labels on files: set labels, remove them, and search directories for files with labels
 * Work with file metadata (extended attributes): set attributes, delete them, and search directories for files with certain attributes
 * Stage files (restore from tape), check whether they are online or not
-* Show available space in dCache
+* Show your disk and tape quotas
 * Subscribe to server-sent-events to set up automated workflows
+* Upload and download files
+
+Many of these operations can be done recursively. For authentication, ADA supports X509, tokens (macaroons and OIDC) and basic auth (username/password), depending on the dCache configuration.
+
+When something goes wrong, Ada tries to provide clear, understandable and useful error messages, so you can help yourself, or otherwise your support team will be able to help you better.
+
+With the `--debug` flag, Ada provides a wealth of information that may help you to troubleshoot problems. If you are a developer, this will help you to understand how to talk to the dCache API.
 
-Many of these operations can be done recursively. For authentication, ADA supports X509, tokens (macaroons and OIDC) and basic auth (username/password), depending on the dCache configuration. 
 
 #### Limitations
 
-* ADA does not transfer files; we suggest you use [Rclone](https://rclone.org/) for that.
+* ADA can upload and download files, but not in bulk, and it's not as efficient as [Rclone](https://rclone.org/).
 * ADA depends on dCache. The dCache system you work with may have limitations that impact ADA.
+* Ada is currently implemented in bash. Bash has limitations; for instance, trying to stage more than 1500 files in a single operation may fail.
 
 ### Installation
 
diff --git a/ada/ada b/ada/ada
index dd0c053..8602f5f 100755
--- a/ada/ada
+++ b/ada/ada
@@ -99,6 +99,58 @@ usage() {
 	      Please note, that dCache storage systems usually
 	      don't have an undelete option.
 
+	  --upload /localpath/file /remotepath/[file] [--verify-checksum] [--allow-insecure-redirects]
+	      Upload a file from the local system to dCache.
+
+	      With --verify-checksum, Ada computes the local file's
+	      MD5 checksum and sends it along with the upload.
+	      If the uploaded file's checksum does not match,
+	      dCache aborts the transfer and removes the corrupt file.
+	      This ensures data integrity during transfer.
+
+	      By default, dCache uses Adler32 as checksum.
+	      With --verify-checksum, dCache will store both the
+	      default (Adler32) and the MD5 checksum in its database.
+	      Without --verify-checksum, only the Adler32 checksum
+	      is stored, and not verified.
+	      
+	      Ada does not overwrite files. If the destination file
+	      exists, Ada will print an error message, except when
+	      you specify --verify-checksum: then Ada will compare
+	      checksums of source and destination.
+
+	      Ada will try several ways to discover a WebDAV door
+	      to use for the transfer.
+	      If that fails, you can specify the door explicitly by
+	      prepending it to the remote path, for example:
+	      https://webdav.example.org/remotepath/remotefile
+
+	      During uploads, Ada will prevent redirects from
+	      HTTPS to HTTP for security reasons. If you want to
+	      allow HTTP (for performance reasons), you can use
+	      --allow-insecure-redirects.
+
+	  --download /remotepath/file /localpath/[file] [--verify-checksum] [--allow-insecure-redirects]
+	      Download a file from dCache.
+	      With --verify-checksum, Ada will verify the file's checksum
+	      after download, and show an error message if it doesn't match.
+
+	      Ada does not overwrite files. If the destination file
+	      exists, Ada will print an error message, except when
+	      you specify --verify-checksum: then Ada will compare
+	      checksums of source and destination.
+
+	      Ada will try several ways to discover a WebDAV door
+	      to use for the transfer.
+	      If that fails, you can specify the door explicitly by
+	      prepending it to the remote path, for example:
+	      https://webdav.example.org/remotepath/remotefile
+
+	      During downloads, Ada will prevent redirects from
+	      HTTPS to HTTP for security reasons. If you want to
+	      allow HTTP (for performance reasons), you can use
+	      --allow-insecure-redirects.
+
 	  --setlabel <file> <label>
 	      Attach a label to a file.
 	  --rmlabel <file> <label>
@@ -300,8 +352,10 @@ set_defaults() {
   path=
   request_id=
   recursive=false
+  verify_checksum=false
   force=false
   resume=false
+  allow_insecure_redirects=false
 
   # Default options to curl for various activities;
   # these can be overridden in configuration files, see below.
@@ -487,6 +541,18 @@ get_args() {
         path="$2"
         shift ; shift
         ;;
+      --upload )
+        command='upload'
+        source="$2"
+        target="$3"
+        shift ; shift ; shift
+        ;;
+      --download )
+        command='download'
+        source="$2"
+        target="$3"
+        shift ; shift ; shift
+        ;;
       --setlabel )
         command='setlabel'
         check_arg $command $2
@@ -673,6 +739,14 @@ get_args() {
         recursive=true
         shift
         ;;
+      --verify-checksum )
+        verify_checksum=true
+        shift
+        ;;
+      --allow-insecure-redirects )
+        allow_insecure_redirects=true
+        shift
+        ;;
       --force )
         force=true
         shift
@@ -1055,20 +1129,23 @@ get_webdav_door () {
   local webdav_door
   local command
   # Method 1: if there's an Rclone config file, read the WebDAV door from that.
+  $debug && echo "Getting WebDAV door." 1>&2
+  $debug && echo "Method 1: get WebDAV door from tokenfile." 1>&2
   if [ -f "$tokenfile" ] ; then
     $debug && echo "Getting WebDAV door from '$tokenfile' ..." 1>&2
     webdav_door=$(awk -F' *= *' '/^url *=/ {print $2}' "$tokenfile")
     if [ -n "$webdav_door" ] ; then
+      $debug && echo 1>&2 "Selected WebDAV door: '$webdav_door'"
       echo "$webdav_door"
       return 0
     fi
   fi
-  $debug && echo "Method failed. Trying next method." 1>&2
+  $debug && echo "Method 1 failed. Trying next method." 1>&2
   # Method 2: read the /scripts/config.js file from the API server.
+  $debug && echo "Method 2: get WebDAV door from API configuration." 1>&2
   command='$debug && set -x
            curl "${curl_authorization[@]}" \
                 "${curl_options_common[@]}" \
-                -H "Authorization: bearer $BEARER_TOKEN" \
                 -H "Accept: application/json" \
                 "$api_server/scripts/config.js" \
            | jq -r ".\"dcache-view.endpoints.webdav\"" '
@@ -1080,10 +1157,11 @@ get_webdav_door () {
   fi
   # If we got a WebDAV door, we're done! Print value and return.
   if [ -n "$webdav_door" ] ; then
+    $debug && echo 1>&2 "Selected WebDAV door: '$webdav_door'"
     echo "$webdav_door"
     return 0
   fi
-  $debug && echo "Method failed. Trying next method." 1>&2
+  $debug && echo "Method 2 failed. Trying next method." 1>&2
   # Method 3.
   # This uses the /doors API call, which lists all doors.
   # The list of doors can be quite long.
@@ -1094,6 +1172,7 @@ get_webdav_door () {
   # - a lot of tags (which means it's publically advertised)
   # - port 443 is preferred (reduces firewall issues)
   # - a low load (we don't want a busy door)
+  $debug && echo "Method 3: ask API for door information" 1>&2
   command='$debug && set -x
            curl "${curl_authorization[@]}" \
                 "${curl_options_common[@]}" \
@@ -1123,10 +1202,14 @@ get_webdav_door () {
   fi
   # If we got a WebDAV door, we're done! Print value and return.
   if [ -n "$webdav_door" ] ; then
+    $debug && echo 1>&2 "Selected WebDAV door: '$webdav_door'"
     echo "$webdav_door"
     return 0
   else
-    echo "Unable to get WebDAV door. Please try again with --debug to get more information." 1>&2
+    $debug && echo "Method 3 failed. No other methods available." 1>&2
+    echo 1>&2 "Unable to get WebDAV door. Please try again with --debug to get more information." \
+              "If you want to upload or download, you could prepend the remote file with the webdav door." \
+              "See the help text for more information."
     return 1
   fi
 }
@@ -1172,6 +1255,29 @@ pathtype () {
 }
 
 
+exists () {
+  # Check whether a path exists. If the path doesn't exist, just continue.
+  # Similar to pathtype(), but that one quits with error if the path doesn't exist.
+  encoded_path=$(urlencode "$1")
+  # Warn the developers not to call this function before the auth has been set up.
+  if [ -z "$curl_authorization" ] ; then
+    echo 1>&2 "ERROR: calling function exists() before authentication has been set up." \
+              "Please submit an issue for this at https://github.com/sara-nl/SpiderScripts/ ."
+    exit 1
+  fi
+  result=$(
+            $debug && set -x
+            curl "${curl_authorization[@]}" \
+                 -H "accept: application/json" \
+                 --silent \
+                 -X GET "$api/namespace/$encoded_path" 2>/dev/null
+          )
+  # jq will check if key .fileType exists.
+  # The exit code of jq will be passed on to the caller of the function.
+  echo "$result" | jq 'has("fileType")' | grep --silent 'true'
+}
+
+
 is_dir () {
   # Check whether a path is a directory. If the path doesn't exist, just continue.
   # Similar to pathtype(), but that one quits with error if the path doesn't exist.
@@ -1733,6 +1839,94 @@ get_checksums () {
 }
 
 
+get_checksum () {
+  # Prints the requested checksum of a dCache file; nothing else.
+  # If the checksum of that type is not in the dCache database, print nothing.
+  local type="$1"
+  local path="$2"
+  encoded_path=$(urlencode "$path")
+  # Make sure the checksum type is something that dCache understands
+  case $type in
+    adler32 | ADLER32 )
+      type=ADLER32
+      ;;
+    md5* | MD5* )
+      type=MD5_TYPE
+      ;;
+    * )
+      echo 1>&2 "ERROR: checksum type '$type' is unsupported."
+      exit 1
+      ;;
+  esac
+  # We output only the requested checksum, nothing else.
+  # If the requested checksum for this file is not in the dCache database,
+  # the result will be empty.
+  $debug && set -x
+  curl "${curl_authorization[@]}" \
+       "${curl_options_no_errors[@]}" \
+       -X GET "$api/namespace/$encoded_path?checksum=true" \
+  | jq -r ".checksums[] | select(.type == \"$type\") | .value"
+  { set +x ; } &> /dev/null
+}
+
+
+get_local_checksum () {
+  # prints the checksum of a local file (not in dCache).
+  local type="$1"
+  local file="$2"
+  case $type in
+    adler32 | ADLER32 )
+      # This might be the most portable way to calculate an Adler32 checksum.
+      python3 -c "import zlib,sys;print(format(zlib.adler32(open('$file','rb').read()) & 0xffffffff,'08x'))"
+      ;;
+    md5* | MD5* )
+      md5sum --quiet "$file"
+      ;;
+    * )
+      echo 1>&2 "ERROR: checksum type '$type' is unsupported."
+      exit 1
+      ;;
+  esac
+}
+
+
+compare_checksums() {
+  local local_file="$1"
+  local remote_file="$2"
+  $debug && echo 1>&2 "Comparing checksums..."
+  # Get the checksum of the remote file from the dCache database.
+  # First try Adler32 because it is the default in dCache,
+  # and fastest to calculate locally.
+  remote_checksum=$(get_checksum ADLER32 "$remote_file")
+  if [[ -n $remote_checksum ]] ; then
+    local_checksum=$(get_local_checksum ADLER32 "$local_file")
+  else
+    # No Adler32 in the dCache database? Then try MD5.
+    remote_checksum=$(get_checksum MD5 "$remote_file")
+    if [[ -z $remote_checksum ]] ; then
+      echo 1>&2 "ERROR: unable to get a checksum for file '$remote_file'."
+      exit 1
+    fi
+    local_checksum=$(get_local_checksum MD5 "$local_file")
+  fi
+  if [[ "$local_checksum" == "$remote_checksum" ]] ; then
+    if $debug ; then
+      echo 1>&2 "Remote checksum: $remote_checksum for file '$remote_file'." ;
+      echo 1>&2 "Local checksum : $local_checksum for file '$local_file'." ;
+    fi
+    echo "Checksum OK."
+    return 0
+  else
+    {
+      echo "ERROR: Checksum mismatch!"
+      echo "Remote checksum: $remote_checksum" ;
+      echo "Local checksum : $local_checksum" ;
+    } 1>&2
+    return 1
+  fi
+}
+
+
 get_channel_by_name () {
   local channel_name="$1"
   # Many other API calls depend on this one.
@@ -2306,6 +2500,9 @@ validate_input() {
       ;;
   esac
 
+  # Basic input validation, such as checking if necessary arguments are provided.
+  # Validation that uses the API is done later, because authentication has
+  # not been set up yet.
   case $command in
     list | stat | mkdir | mv | delete | \
     setlabel | lslabel | findlabel | rmlabel | \
@@ -2381,6 +2578,16 @@ validate_input() {
         exit 1
       fi
       ;;
+    upload | download )
+      if [[ -z $source || $source == --* ]] ; then
+        echo 1>&2 "ERROR: please specify a source file for your $command."
+        exit 1
+      fi
+      if [[ -z $target || $target == --* ]] ; then
+        echo 1>&2 "ERROR: please specify a target for your $command."
+        exit 1
+      fi
+      ;;
     stat-request | delete-request)
       if [[ -z $request_id || $request_id =~ ^-- ]] ; then
         echo 1>&2 "ERROR: command $command requires a request-id."
@@ -2657,6 +2864,252 @@ api_call () {
           ;;
       esac
       ;;
+    upload )
+      # Initialise
+      curl_args=()
+      # Check source (local) file
+      if [[ ! -f $source ]] ; then
+        echo 1>&2 "ERROR: local file '$source' does not exist or is not a file."
+        exit 1
+      fi
+      # Check target (remote) path.
+      # Has the user prepended a WebDAV door to the target? Split it.
+      if [[ "$target" == *"://"* ]]; then
+        webdav_door=$(echo "$target" | sed -nE 's#^([^:]+://[^/]+).*#\1#p')
+        path=$(echo "$target" | sed -nE 's#^[^:]+://[^/]+(/.*)#\1#p')
+        $debug && echo 1>&2 "webdav_door = $webdav_door | path = $path"
+      else
+        webdav_door=""
+        path="$target"
+      fi
+      # If the target exists, it may be OK, if it's a dir.
+      if exists "$path" ; then
+        $debug && echo 1>&2 "Path $path exists."
+        # Let's check the target path. If it exists, it should be a dir, not a file,
+        # because dCache usually does not allow overwrites, and even if it does,
+        # overwrites can be dangerous.
+        case $(pathtype "$path") in
+          REGULAR )
+            # Target (remote) exists and is a file.
+            # If user wants to verify checksums, we verify checksums!
+            if $verify_checksum ; then
+              echo 1>&2 "Target (remote) file '$path' already exists. Verifying checksum..."
+              compare_checksums "$source" "$path" || exit 1
+              exit 0
+            else
+              # User not interested in checksums. We show an error message.
+              echo 1>&2 "ERROR: target '$path' is an existing file. Ada doesn't support overwriting a file."
+              exit 1
+            fi
+            ;;
+          LINK )
+            echo 1>&2 "ERROR: target '$path' is a symlink. A symlink can point to a file or a directory." \
+                      "Ada does not support uploading to a symlink."
+            exit 1
+            ;;
+          DIR )
+            real_target="$target$(basename "$source")"
+            if exists "$real_target" ; then
+              if $verify_checksum ; then
+                echo 1>&2 "Target '$real_target' already exists. Verifying checksum..."
+                compare_checksums "$source" "$real_target" || exit 1
+                exit 0
+              else
+                echo 1>&2 "Target '$real_target' already exists. Ada does not support overwriting."
+                exit 1
+              fi
+            fi
+            ;;
+        esac
+      else
+        # target does not exist. That is OK, if the parent dir exists.
+        $debug && echo 1>&2 "Path $path does not exists."
+        parent=$(dirname "$path")
+        if ! is_dir "$parent" ; then
+          echo 1>&2 "ERROR: parent of '$path', '$parent', is not a directory." \
+                    "Can't write there. Please create that directory first."
+          exit 1
+        fi
+      fi
+      #
+      # Does the user want to automatically verify checksum?
+      # This has a few advantages:
+      # - An MD5 checksum will be added to the file in dCache
+      # - Upload will fail when the checksum doesn't match, and
+      #   the corrupt file will be removed automatically.
+      if $verify_checksum ; then
+        $debug && set -x   # In debug mode, switch on tracing
+        source_checksum=$(md5sum "$source" | cut -d' ' -f1 | xxd -r -p | base64)
+        { set +x ; } 2>/dev/null   # Silently switch off tracing
+        if [[ -z $source_checksum ]] ; then
+          echo 1>&2 "ERROR: you want to upload with checksum verification," \
+                    "but the checksum of '$source' could not be found."
+          exit 1
+        fi
+        curl_args=(
+          -H "Content-MD5: $source_checksum"
+        )
+      fi
+      # We can't upload through the API; we need a WebDAV door for that.
+      # If the user hasn't prepended the WebDAV door to the target,
+      # we need to discover it.
+      if [[ -z $webdav_door ]] ; then
+        webdav_door=$(get_webdav_door "$api")
+      else
+        $debug && echo 1>&2 "User specified WebDAV door: $webdav_door"
+      fi
+      # Some dCache WebDAV doors may redirect from HTTPS to HTTP.
+      # By default, we prevent that with curl --proto =https.
+      # But there may be valid reasons to allow HTTP:
+      # it's faster. So we allow the user to override this
+      # with '--allow-insecure-redirects'.
+      if ! $allow_insecure_redirects ; then
+        # User does not override: limit curl to HTTPS only.
+        curl_args+=(
+          --proto '=https'
+        )
+      fi
+      # We should be ready to upload now!
+      if $verify_checksum ; then
+        echo 1>&2 "Uploading with checksum verification..."
+      else
+        echo 1>&2 "Uploading..."
+      fi
+      $debug && set -x   # If --debug is specified, show curl command (tracing on)
+      curl "${curl_authorization[@]}" \
+           --location --post302 \
+           "${curl_args[@]}" \
+           -T "$source" \
+           "$webdav_door$path"
+      { set +x ; } 2>/dev/null   # Silently switch off tracing
+      ;;
+    download )
+      # Initialise
+      curl_args=()
+      #
+      # Check target (local)
+      # We check the target first because it is local and thus faster.
+      #
+      curl_target=()
+      # Does the local (target) file already exist?
+      if [[ -f $target ]] ; then
+        # If user wants to verify checksums, we verify checksums!
+        if $verify_checksum ; then
+          echo 1>&2 "Target (local) file '$target' already exists. Verifying checksum..."
+          compare_checksums "$target" "$source" || exit 1
+          exit 0
+        else
+          # User not interested in checksums. We show an error message.
+          echo 1>&2 "ERROR: Target file '$target' already exists."
+          exit 1
+        fi
+      fi
+      # If the target is a directory, we tell curl to use the
+      # remote filename
+      if [[ -d $target ]] ; then
+        real_target="${target%/}/$(basename "$source")"
+        if [[ -e "$real_target" ]] ; then
+          echo 1>&2 "ERROR: destination '$real_target' already exists."
+          exit 1
+        fi
+      fi
+      # If the target does not exist, it's OK if the parent dir exists.
+      if [[ ! -e $target ]] ; then
+        parent=$(dirname "$target")
+        if [[ ! -d $parent ]] ; then
+          echo "ERROR: Can't download to '$target': directory '$parent' does not exist."
+          exit 1
+        fi
+        real_target="$target"
+      fi
+      curl_target=(--output "$real_target")
+      #
+      # Check source (remote).
+      #
+      # Has the user prepended a WebDAV door to the source? Split it.
+      if [[ "$source" == *"://"* ]]; then
+        webdav_door=$(echo "$source" | sed -nE 's#^([^:]+://[^/]+).*#\1#p')
+        path=$(echo "$source" | sed -nE 's#^[^:]+://[^/]+(/.*)#\1#p')
+        $debug && echo 1>&2 "webdav_door = $webdav_door | path = $path"
+      else
+        webdav_door=""
+        path="$source"
+      fi
+      # Does the source (remote path) exist?
+      if ! exists "$path" ; then
+        echo 1>&2 "ERROR: source file '$path' does not exist."
+        exit 1
+      fi
+      # The source path should be a file, not a dir or a link.
+      case $(pathtype "$path") in
+        DIR )
+          echo 1>&2 "Source '$path' is a directory. Ada does not support downloading a directory." \
+                    "You can use Rclone for that."
+          exit 1
+          ;;
+        LINK )
+          echo 1>&2 "ERROR: source '$path' is a symlink. A symlink can point to a file or a directory." \
+                    "Ada does not support downloading from a symlink."
+          exit 1
+          ;;
+      esac
+      # If the source file is only on tape and not online,
+      # dCache would automatically stage it when we read it, but
+      # that could take a very long time (varying from minutes to days).
+      # All that time, the curl would be waiting for the file,
+      # keeping a transfer slot occupied, and confusing the user.
+      # So, we refuse to download tape files, and suggest to stage them.
+      if ! is_online "$path" ; then
+        # Construct the stage command that the user would need to stage this file.
+        cmd_args=""
+        if [[ "${args[*]}" =~ "api" ]]; then
+          cmd_args="--api $api"
+        fi
+        if [[ "${args[*]}" =~ "netrc" || "${args[*]}" =~ "proxy" || "${args[*]}" =~ "tokenfile" ]]; then
+          cmd_args="--$auth_method $auth_file $cmd_args"
+        fi
+        {
+          echo "ERROR: file '$path' exists, but it is on tape, and not online." \
+              "You need to stage it first before you can download it." \
+              "You can do that with this command:"
+          echo
+          echo "   $0 --stage $path" "$cmd_args" | tr -d '\r'
+          echo
+          echo "Please note, that staging works most efficiently when done in bulk."
+        } 1>&2
+        exit 1
+      fi
+      # We can't download through the API; we need a WebDAV door for that.
+      # If the user hasn't prepended the WebDAV door to the source,
+      # we need to discover it.
+      if [[ -z $webdav_door ]] ; then
+        webdav_door=$(get_webdav_door "$api")
+      else
+        $debug && echo 1>&2 "User specified WebDAV door: $webdav_door"
+      fi
+      # Some dCache WebDAV doors may redirect from HTTPS to HTTP.
+      # By default, we prevent that with 'curl --proto =https'.
+      # But there may be valid reasons to allow HTTP:
+      # it's faster. So we allow the user to override this
+      # with '--allow-insecure-redirects'.
+      if ! $allow_insecure_redirects ; then
+        # User does not override: limit curl to HTTPS only.
+        curl_args+=(
+          --proto '=https'
+        )
+      fi
+      # We should be ready to download!
+      $debug && set -x   # If --debug is specified, show curl command (tracing on)
+      curl "${curl_authorization[@]}" \
+           "${curl_args[@]}" \
+           --location --post302 \
+           "$webdav_door$path" \
+           "${curl_target[@]}"
+      { set +x ; } 2>/dev/null   # Silently switch off tracing
+      if $verify_checksum ; then
+        compare_checksums "$real_target" "$path" || exit 1
+      fi
+      ;;
     setlabel | lslabel | rmlabel )
       case $(pathtype "$path") in
         DIR )