Skip to main content
Databunker Pro can store files, not just structured records. Each file is attached to a user, encrypted at rest, and served back only through the API. This lets you keep documents such as ID scans, KYC paperwork, medical attachments, or exported reports under the same vault, audit trail, and access-control policies that protect the rest of a user’s data.

How encryption works

Every file is encrypted with its own per-file key, which is in turn wrapped by the user’s record key. Nothing is written to storage in the clear, and a file can only be decrypted through the vault. Because the file key is chained to the user’s record key, file storage inherits two properties of the PII vault:
  • Crypto-shredding on erasure — deleting the user destroys the record key, which renders all of that user’s files permanently unrecoverable. This is the mechanism behind GDPR “right to erasure” for attached documents.
  • Shared key management — the same key rotation, Shamir’s secret sharing, multi-tenancy, and access control apply to files as to any other record.
Encrypted objects are stored in a configurable backend:
BackendTypical use
Local diskSingle-node or on-prem deployments
Amazon S3AWS deployments
Google Cloud StorageGCP deployments
Azure Blob StorageAzure deployments
The storage backend only ever holds ciphertext — the keys live in the vault, not with the objects.

API operations

EndpointPurpose
FileCreateStore an encrypted file for a user
FileGetRetrieve and decrypt a file
FileListUserFilesList a user’s files (metadata only)
FileDeleteRemove a file’s object and metadata
Every call identifies the owning user with a mode (login, token, email, phone, or custom) and the matching identity.

Store a file

File content is supplied as a base64-encoded filedata field. The MIME type is auto-detected when mimetype is omitted.
curl -X POST https://databunker.pro/v2/FileCreate \
  -H "X-Bunker-Token: <access-token>" \
  -H "X-Bunker-Tenant: <tenant-name>" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "email",
    "identity": "user@example.com",
    "filename": "passport.pdf",
    "filedata": "JVBERi0xLjQKJ...",
    "slidingtime": "1y"
  }'
Output:
{
  "status": "ok",
  "token": "550e8400-e29b-41d4-a716-446655440000",
  "fileuuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "duplicate": false
}
If the same content is uploaded again for the same user, no new object is written and the response sets "duplicate": true.

Retrieve a file

Select a file by fileuuid (preferred) or by filename — when selecting by name, the most recently created file with that name is returned. By default the content comes back as a base64-encoded filedata field:
curl -X POST https://databunker.pro/v2/FileGet \
  -H "X-Bunker-Token: <access-token>" \
  -H "X-Bunker-Tenant: <tenant-name>" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "email",
    "identity": "user@example.com",
    "fileuuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }'
{
  "status": "ok",
  "fileuuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "filename": "passport.pdf",
  "mimetype": "application/pdf",
  "size": 20481,
  "filedata": "JVBERi0xLjQKJ..."
}
For direct downloads, set "raw": true to receive the decrypted bytes with the appropriate Content-Type and Content-Disposition headers instead of a JSON envelope.

List a user’s files

FileListUserFiles returns metadata only — never file content:
curl -X POST https://databunker.pro/v2/FileListUserFiles \
  -H "X-Bunker-Token: <access-token>" \
  -H "X-Bunker-Tenant: <tenant-name>" \
  -H "Content-Type: application/json" \
  -d '{ "mode": "email", "identity": "user@example.com" }'
{
  "status": "ok",
  "files": [
    {
      "fileuuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "filename": "passport.pdf",
      "mimetype": "application/pdf",
      "size": 20481,
      "creationtime": 1751980800
    }
  ]
}

Delete a file

FileDelete removes both the stored object and its metadata:
curl -X POST https://databunker.pro/v2/FileDelete \
  -H "X-Bunker-Token: <access-token>" \
  -H "X-Bunker-Tenant: <tenant-name>" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "email",
    "identity": "user@example.com",
    "fileuuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }'

Retention and expiration

Files support the same expiration model as tokens. Set slidingtime for a relative retention window (e.g. 30d, 1y) or finaltime for an absolute cutoff (e.g. 90d, 2026-01-01). This lets you enforce document retention policies automatically instead of tracking expiry in your own application.