Storage & Files
Configure file storage providers — S3-compatible, Public CDN, and SharePoint — for your project
Every project gets a file storage system for handling uploads and attachments. You can use the built-in default storages or connect your own provider.
Default storages
Every project automatically gets two storages, both auto-provisioned and read-only in the UI (cannot be deleted or have their provider type changed):
- Default Storage — 1 GB quota on a shared S3 bucket managed by the platform. Files require authenticated access via the platform's proxy.
- Public CDN — 1 GB quota on a Bunny.net Edge Storage Zone. Files are served via permanent public URLs at
https://cdn.smallstack.com/projects/{projectId}/...and anyone with the URL can view them. Use this for hero images, public assets, and downloadable files.
Public CDN behaviour
- Path layout: files are stored under
projects/{projectId}/{userPath}in the Bunny Storage Zone. - Public URLs:
https://cdn.smallstack.com/projects/{projectId}/{userPath}— permanent, no signing, no expiry. Right-click → "Save as…" yields the original filename when it was already CDN-safe. - Per-request size limit: 50 MB hard cap (matches the OVHcloud Caddy ingress limit).
- Project quota: 1 GB temporary cap; a global quota system will replace this in a later release.
- Filename validation: filenames must consist of
[a-zA-Z0-9._-]+per segment. When the user-supplied name fails validation, the platform sanitises it (e.g.My Photo.JPG→my-photo.jpg) and shows a non-blocking notice with the new name. - Collision handling: if the resolved filename already exists, the upload is paused and the user is prompted to Overwrite or Cancel. When the file was also auto-renamed during sanitisation, the dialog shows both the original and final name.
- Upload mechanism: Bunny does not support presigned URLs, so uploads stream directly through the SvelteKit endpoint into Bunny's Edge Storage (no buffering). Anonymous read happens via the CDN URL and bypasses our API entirely.
Custom storage providers
You can add additional storage providers connected to your own infrastructure.
S3-compatible storage
Supported providers include AWS S3, Hetzner Cloud Storage, DigitalOcean Spaces, MinIO, and any S3-compatible service.
Required configuration:
| Field | Required | Notes |
|---|---|---|
| Access Key ID | Yes | |
| Secret Access Key | Yes | |
| Bucket name | Yes | |
| Region | No | Required for some providers |
| Custom endpoint | No | Required for non-AWS providers |
Microsoft SharePoint
Stores files in a SharePoint Online document library.
Required configuration:
| Field | Required | Notes |
|---|---|---|
| Site URL | Yes | e.g., https://yourcompany.sharepoint.com/sites/MyProject |
| Azure AD Client ID | Yes | From your App Registration |
| Azure AD Client Secret | Yes | From your App Registration |
| Azure AD Tenant ID | Yes | |
| Drive ID | No | Defaults to the site's default document library |
Managing storage
Navigate to Project Settings → Storages to:
- View all configured storages with usage stats
- Create a new custom storage
- Edit an existing storage's configuration
- Delete a custom storage (the default storage cannot be deleted)
Permissions
Storage uses a dual permission model:
- Storage management permissions (
access) — who can view, edit, or delete the storage configuration - File operation permissions (
fileAccess) — who can upload, download, or delete files within the storage
Both default to project-level permissions if not explicitly set.
You can configure a storage to allow anonymous file access — for example, letting event attendees upload photos without logging in — by setting the fileAccess field to allow anonymous operations.
→ Developer details: Storage Permissions
API endpoints
| Method | Path | Description |
|---|---|---|
GET |
/api/projects/{projectId}/storages |
List all storages |
POST |
/api/projects/{projectId}/storages |
Create a storage |
GET |
/api/projects/{projectId}/storages/{storageId} |
Get storage details |
PUT |
/api/projects/{projectId}/storages/{storageId} |
Update a storage |
DELETE |
/api/projects/{projectId}/storages/{storageId} |
Delete a storage |
Security
- Storage credentials are stored encrypted
- Password fields are masked in the UI
- Storage management requires project update permissions by default
- File operations require project read/update permissions by default
- Anonymous access must be explicitly configured (it is off by default)
Related
- SharePoint Templates — configure SharePoint folder templates for data types
- Storage Permissions — developer reference for the permission model