Files Api
Encrypted Storage and Streaming for Any File
The Server Cannot Read What It Stores
Encryption Keys Stay With the Client
A Key the Server Never Retains
Each file is encrypted with a key the client supplies at upload. The server applies the key, writes only the ciphertext, and does not retain the key beyond the request. At download, the client supplies the key again and the server decrypts on the fly before streaming the result. The key is never persisted — not to disk, not to memory between requests.
Breach-Resistant by Construction
Full server compromise delivers ciphertext for every file the storage volume holds. The folder names and filenames on disk are also encrypted — an attacker who gains filesystem access finds neither readable content nor a recognizable directory layout. The encryption guarantee does not depend on the server remaining uncompromised.
Built for Files of Any Size
Streaming Without Memory Overhead
Large Files Stream End-to-End
Uploads and downloads are handled as byte streams throughout the entire server pipeline. No file is loaded entirely into memory. A 10 GB video upload and a 1 KB configuration file consume the same server memory during transit. The streaming path scales to file sizes that would exhaust any in-memory approach.
Small Files Delivered at Cache Speed
Files under the configured size threshold are cached in memory after the first download. Subsequent calls to DownloadSmall return the cached bytes without touching the disk or the decryption stack. The cache operates on a sliding expiration window, adapting automatically to access patterns without any configuration changes at runtime.
Organized by Application and Folder
A Structure That Mirrors Your Application's Domain
Folders Are Yours to Define
Files are organized under application-scoped folders. Folder names and filenames are supplied as plain strings and encrypted before they reach the filesystem. The storage layout adapts to whatever directory structure your application defines — no schema changes, no migrations, no administrator intervention required.
Full Lifecycle Control
List all files in a folder. List all folders for an application. Delete a single file, a folder with all its contents, or purge every file and folder for an application in a single call. The Files Api exposes the complete set of operations a production file lifecycle requires.
Two Cache Layers, One Interface
Client and Server Coordinate Without Configuration
The Client Caches Too
The Files Api client library maintains its own in-memory cache for small files. A file downloaded once is returned from the client cache on repeated requests — no network round-trip, no server call. The same sliding expiration window governs both caches, so client and server expire entries on the same schedule without any manual coordination.
Transparent to the Caller
The application calls DownloadSmallAsync and receives the file bytes. Whether those bytes came from the client cache, the server cache, or the encrypted disk is invisible to the caller. The caching strategy is an implementation detail — the interface behaves identically regardless of which layer served the response.
Connected by Design
Files Is Built for the Full Arch Stack
Keys Api
Encryption keys for files are best managed in the Keys Api. The Keys Api stores per-user or per-operation encryption keys under the same sovereignty guarantees as the files themselves. A client derives its encryption key from the Keys Api and supplies it to the Files Api at upload and download.
Your Application
Your microservice stores and retrieves files through the IFilesApiClient interface. Upload streams directly from the source; download streams directly to the destination. Encryption, streaming, and caching are handled by the Files Api without requiring the application layer to manage any of it. What would otherwise be separate storage, encryption, and delivery systems is the default behavior of a single dependency.
Tech Sovereignty
Arch
Company
About Contact