Introduction to fimidara


What is fimidara?


fimidara is a developer-focused file storage service, similar to AWS S3, but with enhanced access control and management features:

  • Hierarchical file storage – Organize files in folders and subfolders.
  • Access control – Precisely manage who can access your files.
  • File search – Quickly find files. (coming soon)
  • File versioning – Track and manage file versions. (coming soon)
  • File sharing – Easily share files with others. (coming soon)
  • File processing – Process images, videos, and more. (coming soon)
  • File server – Serve files publicly, including from external sources like AWS S3. (coming soon)

fimidara solves the "rogue link" problem—ensuring that file links are only accessible by design, not by accident. This strict access control extends to all resources, including collaborators, workspaces, and folders. In addition to security, fimidara offers robust tools for managing your files.


How does fimidara work?


fimidara enforces access control using three main concepts: agent tokens, permission groups, and permission items.


  • Agent tokens are JWTs that enable programmatic access for both client and server applications.
  • Permission groups bundle permissions together and can be assigned to entities (users, agent tokens, or other groups).
  • Permission items are the actual rules that allow or deny access. They can be assigned directly to entities or inherited via permission groups, making permission management flexible and reusable.

Every workspace includes a default Public permission group, which controls access for unauthenticated (public) requests.


When a request is made (e.g., to read a file), fimidara checks the Authorization header for a JWT. If present, it verifies the token and determines the associated agent token. fimidara then checks all permission items assigned to the agent token (including those inherited from groups and the Public group). If a permission grants access, the request is allowed; if not, or if an explicit deny is found, access is denied. Public (unauthenticated) requests follow the same process, but without a JWT or agent token.