Storage Configuration
Configure your organization's object storage — local, S3-compatible, or Azure Blob — and understand when files upload directly from the browser versus through the server.
Every organization stores its files (knowledge-base documents, chat attachments, avatars, workflow artifacts) in a storage backend you configure under Settings → Organization → Storage. Three providers are supported:
| Provider | When to use |
|---|---|
| Local | Single-node evaluation installs. Files live on the server's disk. |
| S3-compatible | AWS S3, MinIO, SeaweedFS (bundled), Cloudflare R2, or any S3 API. |
| Azure Blob Storage | Azure-native deployments (the default on Azure Marketplace installs). |
S3 settings
- Endpoint URL — the S3 endpoint the platform servers use. For the bundled SeaweedFS this is the in-cluster service address; for AWS S3 leave it blank.
- Public endpoint URL (optional) — a browser-reachable endpoint used only for signing direct-upload/download URLs. Set this when your Endpoint URL is private (cluster-internal or behind a firewall) but you have exposed the same store publicly (e.g. through an ingress) and want browser-direct transfers.
- Bucket, Region, Access key / Secret key, Force path style — standard S3 client settings. Credentials are stored encrypted in the platform secret store.
Direct uploads vs. server-proxied uploads
For speed, the platform prefers browser-direct transfers: the browser uploads straight to your storage using a short-lived presigned URL. That only works when the storage endpoint is reachable from your users' browsers.
The platform decides automatically:
- AWS S3 / Azure Blob — always direct.
- S3-compatible store with a public hostname — direct.
- S3-compatible store with a private endpoint (the bundled SeaweedFS, or MinIO on a private network) — uploads and downloads are routed through the platform server instead. Everything still works; large transfers simply pass through the server.
- Private endpoint + Public endpoint URL configured — direct, using the public endpoint for signing.
If you configure a Public endpoint URL, the storage host must allow
cross-origin (CORS) PUT/GET requests from your platform origin —
browser-direct transfers are cross-origin requests.
Symptom to watch for: uploads failing in the browser console with
net::ERR_NAME_NOT_RESOLVED against your storage hostname means a private
endpoint leaked into browser transfers. On current versions this cannot
happen — the platform detects private endpoints and proxies automatically.
If you see it, upgrade, or clear the Public endpoint URL field if it
points at a host your users cannot reach.
Changing providers
Switching providers (or buckets) offers a migration that copies existing objects to the new target before the configuration is saved. Configuration changes take effect within five minutes (config caches).