VT EpesiCloud Vault
Launch console →
Unified Object Storage Router

One file storage layer for all your applets.

CRM, Invoices, Pulse, blindspot, avatars — every applet gets decoupled from direct AWS/R2 keys. Instead, they upload files directly to browser-safe pre-signed PUT URLs. Vault handles the secure path generation, checksum checks, and serves download URLs dynamically.

The upload pipeline

Direct to bucket uploads.

Files go directly from the client's browser to the cloud bucket using pre-signed PUT keys, keeping your node servers light and fast.

Client Browser → 1. Request presigned URL (/api/v1/uploads)Vault server → matches container policy & gets active credentials → returns temporary S3 presigned PUT URL Client Browser → 2. PUT file binary data → Storage Provider (R2 / S3 / MinIO) Client Browser → 3. Confirm completion (/api/v1/uploads/:id/complete)Vault server → runs S3 HeadObject verification on the bucket → registers file size + checksum & saves metadata
Core features

Built for scale.

Direct Uploads

Upload files directly from client to S3 using pre-signed PUT links, avoiding server bottlenecks.

BYO Bucket (Bring Your Own)

Let enterprise clients connect their own custom R2 or S3 credentials to connect Vault to their buckets.

Folder Isolation

Files in a shared bucket are automatically organized under client-specific `tenants/{tenantId}/` folder structures.

Container Limits

Enforce visibility levels (public vs private), size constraints, and file extension checks at the container level.

API Keys for Applets

Issue scoped keys so CRM, Engage, and other tools can register and link files programmatically.

Temporary Signed GETs

Request dynamic, short-lived download links to keep sensitive documents safe from unauthorized access.

Supported engines

Multiple storage providers.

Vault connects to any S3-compatible API. Standard providers are registered out of the box.

Cloudflare R2 (Default) Amazon S3 MinIO (Local Dev) Google Cloud Storage (GCS) Backblaze B2