Documentation
A quick tour of the parts of ObjectsDepo most teams touch first. Need something deeper? Reach out.
1. Sign in
Authentication is handled by an embedded Authentik SSO server. You can use email/password, or wire up your corporate IdP via OIDC or SAML. After signing in, you'll land in the application console.
2. The S3 API
The data plane speaks S3. Point any S3 SDK at https://s3.objectsdepo.com with path-style addressing and the access/secret keys you created in the console.
aws --endpoint-url https://s3.objectsdepo.com \
s3 cp ./report.pdf s3://my-bucket/2026/report.pdf
Presigned uploads
For browser-based uploads, ask the API for a presigned URL and PUT directly:
POST /v1/upload/init -> returns put_url PUT <put_url> -> uploads binary POST /v1/upload/complete
3. Tenants & buckets
Every account belongs to one or more tenants. Buckets live inside tenants — users can only see buckets their policies grant access to. Create a tenant from the console (Profile → Tenants → Create), then create a bucket inside it.
4. Policies (Cedar)
Access decisions are made by a Cedar policy engine. A minimal policy might read:
permit ( principal in TenantGroup::"editors", action in [Action::"GetObject", Action::"PutObject"], resource in Bucket::"photos" );
Attach policies to users or groups; ObjectsDepo evaluates them on every request and caches the decision for the configured TTL.
5. Versioning & sharing
Enable versioning per bucket from the console. Once on, every overwrite retains the previous object as a separate version. Share links can be generated either as time-limited presigned URLs or persistent share entries with their own ACL.