Enterprise storage APIs · Managed backend
Simple storage APIs.
Enterprise-grade backend.
Sporage gives your applications an Azure-Blob-style REST API for files, folders, and metadata — while your data lives on governed, enterprise storage that we manage end-to-end. No cloud accounts to set up. Just an API key.
curl -X POST "http://localhost:3000/api/v1/containers/contracts/files" \
-H "X-API-Key: sk_live_..." \
-F "file=@agreement.pdf"
{ "success": true,
"data": { "file": { "id": "file_8fK2...", "name": "agreement.pdf" } },
"requestId": "req_a1b2c3" }How it works
Your application talks to our REST API. We handle authentication, tenant isolation, quotas, and the entire storage backend behind the scenes.
1 · Authenticate
Your app sends its API key. We resolve your account, containers, permissions, and quotas — no Entra ID or Microsoft 365 accounts required.
2 · Use logical containers
Work with named containers like contracts or invoices. Storage-backend identifiers, paths, and internal IDs stay hidden.
3 · We handle the backend
The platform translates every operation into governed calls against your dedicated managed storage.
Storage API features
Files
Upload, download, rename, copy, move, and delete files with clean REST endpoints and consistent JSON envelopes.
Folders & listings
Create folders, list children, paginate with cursors, filter by type and name, sort by name, size, or date.
Metadata
Read system metadata and attach your own custom keys per file — schemas configured per container.
Async jobs
Copy operations run as jobs with a polling endpoint — no waiting on long-running requests.
Isolation & quotas
Hard customer isolation, per-account quotas, per-key permissions and rate limits, enforced before any byte is written.
Auditability
Every operation is logged with request IDs, durations, and outcomes — ready for your compliance reviews.
Security by design
- API keys are hashed with HMAC-SHA-256 — the full key is shown once and never stored or logged.
- Backend tokens, storage paths, and internal item IDs never leave the platform. Customers only ever see opaque public IDs.
- Every lookup is scoped to your customer, storage account, and container — cross-tenant access is structurally impossible.
- Per-key permissions, IP allowlists, expiry dates, rate limiting, and full audit logging from day one.