Skip to content
Endatix
Integrations

File Storage

Connect Endatix to Azure Blob Storage, Amazon S3, or a self-hosted RustFS instance for file uploads and form assets.

Azure Blob
Amazon S3
RustFS
Private upload flow
1
Respondent selects file
2
Hub requests presigned PUT URL from API
3
Browser uploads directly to storage provider
4
Canonical URL stored in submission JSON
5
API generates signed read URL on access

Secure file handling

File uploads (documents, signatures, images, audio or video recordings) require a secure, and fast storage.

  • Private file storage
  • Bulk file downloads (ZIP archive)
  • Preview media files
  • Inline image rendering in PDF exports

Supported providers

Azure Blob Storage
STORAGE_PROVIDER=azure

Best choice for Azure-hosted deployments. Supports StorageV2 accounts, SAS-token–based private access, and direct CDN routing.

  • StorageV2 account with two containers (user-files, content)
  • SAS token generation for read and write URLs
  • CORS configured per Hub origin
  • Compatible with Azure Front Door and CDN endpoints
RustFS
STORAGE_PROVIDER=s3

S3-compatible open-source storage. The recommended option for self-hosted Endatix deployments. Runs as a Docker container alongside the API.

  • Full S3 API compatibility — same env vars work for AWS S3
  • path-style URLs required (STORAGE_S3_FORCE_PATH_STYLE=true)
  • Single-node or multi-node Docker deployments
  • Companion compose file included in the Endatix repo
Amazon S3 (and compatible)
STORAGE_PROVIDER=s3

Any S3-compatible provider — AWS S3, DigitalOcean Spaces, Cloudflare R2, Backblaze B2 — works with the same S3 environment variables.

  • Configure STORAGE_S3_ENDPOINT to the provider endpoint
  • Standard AWS credential env vars (access key + secret)
  • Virtual-hosted style vs path-style controlled by STORAGE_S3_FORCE_PATH_STYLE
  • CORS rules must allow Hub origin for browser PUT uploads

Security design

Private mode by default

Containers are locked. Files are never directly accessible by URL. Endatix generates short-lived signed URLs only after verifying the caller has permission.

Short-lived signed URLs

Read SAS URLs expire in 15 minutes. Write SAS URLs expire in 180 seconds. The browser only ever holds a time-limited credential — not the storage key.

Direct-to-cloud uploads

Files upload straight from the browser to the storage provider using a pre-signed PUT URL. Large files never pass through your .NET or Node.js servers.

Why not base64 in the database?

Base64 in a JSON column can't be streamed, can't be CDN-cached, can't be signed, makes DB backups enormous, and exposes file data in every submission query. Object storage avoids all of these issues.

File Storage

Secure file uploads without the storage plumbing.

Set a handful of environment variables and Endatix handles the rest — presigned URLs, access control, and export rewriting included.

Storage docs Talk to us