ℹ️ The Tresorit API is currently in the Early Adopter phase. If you'd like to try it out, join our waitlist by sending an email to support@tresorit.com with your company name and a brief overview of how you plan to use the API.
Tresorit provides an S3-compatible API that enables applications, tools, and systems supporting the Amazon S3 standard to interact with Tresorit's cloud storage while preserving end-to-end encryption (E2EE).
The API follows standard S3 semantics, so it can be used with many S3-compatible tools and SDKs, such as rclone, MinIO, or standard Amazon S3 SDKs.
Tresorit storage elements map to S3 concepts as follows:
| Tresorit | S3 equivalent |
| Main folder | Bucket |
| File | Object |
Architecture
To maintain Tresorit's encryption model, the API runs locally in your environment. It is provided as Docker containers that you deploy either on-premises, or in your private cloud.
All encryption and decryption take place on your infrastructure.
Once deployed and authenticated, the API exposes an S3-compatible endpoint that clients can connect to.
Default endpoint
Limitations
Upload size
Single file uploads are limited to 5 GB. Downloads are not subject to this limit.
Multipart uploads
PutObject multipart uploads are not currently supported.
ℹ️ The technical limitations are documented in the GitHub repository.
Important notes
Listing files created by other clients
By default, the API lists only files created through the same API instance. To include files created by other clients (for example, desktop or mobile clients), add the following header to listing requests:
This applies to:
- REST GET and HEAD listing requests
- S3 tools such as rclone
Bucket naming
Some S3 clients strictly validate bucket names. Ensure that main folder names follow standard S3 bucket naming rules, otherwise they may not work with all S3 clients.
Setup
Full setup instructions are available in the GitHub repository.
To use the API, you need:
-
Docker and Docker Compose
The docker-compose.yaml file can be customized to match your network, security, and exposure requirements.
-
A Tresorit user account
You can use either an existing account or a dedicated account created specifically for API access.
Using the API
S3-compatible REST API
The API exposes an S3-compatible REST interface for storing, retrieving, and managing objects.
Authentication and request signing
- The API authenticates to Tresorit using the provided Tresorit user account.
- After authentication, credentials are generated locally in credentials.json.
- Client requests to the locally running API instance must be signed using AWS Signature Version 4. Most S3 tools and SDKs handle request signing automatically.
Typical S3 client configuration
- Access Key ID: value of client_id (see credentials.json in the API root after login)
- Secret Access Key: value of client_secret (see credentials.json in the API root after login)
- Region: us-east-1 (fixed)
- Service: s3
Supported operations
Main folders (S3 buckets)
PUT /{bucketName} Create a main folder
DELETE /{bucketName} Delete a main folder
Files (S3 objects)
HEAD /{bucketName}/{filePath} Retrieve metadata
GET /{bucketName}/{filePath} Download a file
PUT /{bucketName}/{filePath} Upload a file
DELETE /{bucketName}/{filePath} Delete a file
POST /{bucketName} Delete multiple files
ℹ️ Interactive REST documentation is available in Swagger after setup.
rclone
You can use rclone with the Tresorit API to transfer or synchronize local folders.
rclone mount Continuous synchronization or mounting
ℹ️ Configuration steps are available in the GitHub repository.
S3 SDKs
Standard Amazon S3 SDKs can be used to integrate Tresorit storage directly your applications.