Storage Bucket Access

The storage service does not manage bucket permissions. Configure access control in your storage provider's console.

For public assets (like avatars), make the bucket or prefix publicly readable and store the public URL in your database. Use read-only access and keep object keys unguessable.

Keep in mind that "unguessable" URLs are not the same as "secure": anyone with the URL can access the file. This is fine for public content but not for sensitive documents.

For private content, keep the bucket private and generate signed URLs server-side (via your provider SDK or CDN), with short expiration times.