Files Api
Encrypted Storage and Streaming for Any File
Features
  • Per-File Encryption: Every file is encrypted with a key supplied by the client on each request. The server stores only ciphertext and never retains the key between calls.
  • Client-Held Encryption Keys: The encryption key is provided per request and is never persisted server-side. A complete server compromise yields no key material.
  • Encrypted Folder and Filename Paths: Folder names and filenames are encrypted before they reach the filesystem. The directory structure on disk reveals no application-level naming.
  • Streaming Upload: Files are uploaded as streams through the full server pipeline. No file is buffered entirely into memory regardless of size.
  • Streaming Download: Files are decrypted and streamed to the caller without being loaded into memory. Large file downloads place no additional pressure on server heap.
  • Small File Server Cache: Files under the configured size threshold are cached in server memory after the first download. Subsequent DownloadSmall requests are served without disk access or decryption overhead.
  • Small File Client Cache: The client library mirrors the server cache in process memory. A cached file is returned without a network round-trip. Both caches share the same sliding expiration window.
  • Folder Management: List root folders for an application, list subfolders within a parent, delete a folder and all its contents, or purge every file and folder for an application in a single call.
  • File Queries: Check file existence, retrieve file size in bytes, and list all files within a folder without downloading any data.
  • Envelope Encryption on All Requests: All sensitive parameters travel inside Protected<T> envelopes. Raw file metadata and keys never appear in transit in plaintext.
  • Authorization-Enforced Access: Every request to the Files Api is validated by the Application Api. A service must be registered and authorized before it can store or retrieve files.
How It Compares
Beyond What Conventional Object Stores Offer
The File Custody Problem, Solved
Cloud and self-hosted object stores manage file access — they do not eliminate file exposure. The Files Api stores data the server cannot read without a key the client must supply on each request. A breach that extracts the entire storage volume extracts encrypted file content and encrypted path metadata. Nothing actionable is recoverable without the client-held keys.
Capability
Files Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Per-file client-held encryption
No server-side key access
Encrypted folder and filename paths
Memory-efficient streaming
Coordinated client + server memory cache
Envelope encryption on all requests
Air-gappable
CLOUD Act exempt
✓¹
No third-party data custody
¹ EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.
Tech Sovereignty
Arch
Company
About Contact